On Thu 22-09-22 21:04:01, Zhihao Cheng wrote:
> It would be better to do more sanity checking (eg. dqdh_entries,
> block no.) for the content read from quota file, which can prevent
> corrupting the quota file.
>
> Signed-off-by: Zhihao Cheng <chengzhihao1@xxxxxxxxxx>
> ---
> fs/quota/quota_tree.c | 43 +++++++++++++++++++++++++++++++++----------
> 1 file changed, 33 insertions(+), 10 deletions(-)
>
> diff --git a/fs/quota/quota_tree.c b/fs/quota/quota_tree.c
> index 47711e739ddb..54fe4ad71de5 100644
> --- a/fs/quota/quota_tree.c
> +++ b/fs/quota/quota_tree.c
> @@ -71,12 +71,12 @@ static ssize_t write_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf)
> return ret;
> }
>
> -static inline int do_check_range(struct super_block *sb, uint val,
> - uint min_val, uint max_val)
> +static inline int do_check_range(struct super_block *sb, const char *val_name,
> + uint val, uint min_val, uint max_val)
> {
> if (val < min_val || val >= max_val) {
> - quota_error(sb, "Getting block %u out of range %u-%u",
> - val, min_val, max_val);
> + quota_error(sb, "Getting %s %u out of range %u-%u",
> + val_name, val, min_val, max_val);
> return -EUCLEAN;
> }
As I already wrote in my comments to v1, please create do_check_range()
already with this prototype in patch 1 so that you don't have to update it
(and all the call sites) in each of the patches. It makes review simpler.
> @@ -268,6 +270,11 @@ static uint find_free_dqentry(struct qtree_mem_dqinfo *info,
> *err = check_dquot_block_header(info, dh);
> if (*err)
> goto out_buf;
> + *err = do_check_range(info->dqi_sb, "dqdh_entries",
> + le16_to_cpu(dh->dqdh_entries), 0,
> + qtree_dqstr_in_blk(info));
> + if (*err)
> + goto out_buf;
The checking of dqdh_entries belongs into check_dquot_block_header(). That
was the reason why it was created. So that all the checks are together in
one function...
> } else {
> blk = get_free_dqblk(info);
> if ((int)blk < 0) {
> @@ -349,6 +356,10 @@ static int do_insert_tree(struct qtree_mem_dqinfo *info, struct dquot *dquot,
> }
> ref = (__le32 *)buf;
> newblk = le32_to_cpu(ref[get_index(info, dquot->dq_id, depth)]);
> + ret = do_check_range(dquot->dq_sb, "block", newblk, 0,
> + info->dqi_blocks);
> + if (ret)
> + goto out_buf;
> if (!newblk)
> newson = 1;
> if (depth == info->dqi_qtree_depth - 1) {
> @@ -461,6 +472,11 @@ static int free_dqentry(struct qtree_mem_dqinfo *info, struct dquot *dquot,
> }
> dh = (struct qt_disk_dqdbheader *)buf;
> ret = check_dquot_block_header(info, dh);
> + if (ret)
> + goto out_buf;
> + ret = do_check_range(info->dqi_sb, "dqdh_entries",
> + le16_to_cpu(dh->dqdh_entries), 1,
> + qtree_dqstr_in_blk(info) + 1);
Again, the check of dqdh_entries should be in check_dquot_block_header().
> @@ -739,7 +756,13 @@ static int find_next_id(struct qtree_mem_dqinfo *info, qid_t *id,
> goto out_buf;
> }
> for (i = __get_index(info, *id, depth); i < epb; i++) {
> - if (ref[i] == cpu_to_le32(0)) {
> + uint blk_no = le32_to_cpu(ref[i]);
> +
> + ret = do_check_range(info->dqi_sb, "block", blk_no, 0,
> + info->dqi_blocks);
> + if (ret)
> + goto out_buf;
> + if (blk_no == 0) {
> *id += level_inc;
> continue;
> }
I'd leave checking for 0 first here - i.e.:
if (ref[i] == cpu_to_le32(0)) {
*id += level_inc;
continue;
}
and only then do:
blk_no = le32_to_cpu(ref[i]);
ret = do_check_range(...);
There's no point in checking known-good value.
Honza
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR
