On 2024/8/2 15:34, Ojaswin Mujoo wrote:
On Wed, Jul 10, 2024 at 12:06:44PM +0800, libaokun@xxxxxxxxxxxxxxx wrote:
From: Baokun Li <libaokun1@xxxxxxxxxx>
The use of path and ppath is now very confusing, so to make the code more
readable, pass path between functions uniformly, and get rid of ppath.
To get rid of the ppath in ext4_ext_create_new_leaf(), the following is
done here:
* Free the extents path when an error is encountered.
* Its caller needs to update ppath if it uses ppath.
No functional changes.
Signed-off-by: Baokun Li <libaokun1@xxxxxxxxxx>
Hi Baokun,
Hey Ojaswin,
The changes look good to me, feel free to add:
Reviewed-by: Ojaswin Mujoo <ojaswin@xxxxxxxxxxxxx>
Thank you very much for your review!
That being said, IIUC i think this patchset also fixes a potential UAF
bug. Below is a sample trace with dummy values:
ext4_ext_insert_extent
path = *ppath = 2000
ext4_ext_create_new_leaf(ppath)
path = *ppath = 2000
ext4_find_extent(path = 2000)
if (depth > path[0].p_maxdepth)
kfree(path = 2000);
path = NULL;
path = kcalloc() = 3000
...
return path;
path = 3000
*ppath = 3000;
return;
/* here path is still 2000 *, UAF! */
eh = path[depth].p_hdr
I'm not completely sure if we can hit (depth > path[0].p_maxdepth) in the
above codepath but I think the flow is still a bit fragile. Maybe this
should be fixed in a separate patch first. What do you think?
Regards,
ojaswin
Nice catch!
This is indeed a potential UAF issue, and while it seems hard to
trigger (depth > path[0].p_maxdepth), it does deserve a separate
patch, and I'll be adding a separate quick fix for this in the next version.
Regards,
Baokun
