On Wed, Feb 28, 2024 at 02:10:48PM -0800, Christoph Hellwig wrote:
> On Wed, Feb 28, 2024 at 12:52:13PM -0800, Darrick J. Wong wrote:
> > I overlooked something this morning -- if the caller passes in
> > XFS_SCRUB_IFLAG_FORCE_REBUILD, that might be the free space defragmenter
> > trying to get us to move the remote target block somewhere else. For
> > that usecase, if the symlink scrub doesn't find any problems and we read
> > in exactly i_size bytes, I think we want to write that back to the
> > symlink, and not the DUMMY_TARGET.
>
> Yes, I think we really want that :)
I'm glad we agree.
> > Something like:
> >
> > if (FORCE_REBUILD && !CORRUPT) {
>
> Maybe I need to read the code a little more, but shouldn't this
> simply be !corrupt? Or an assert that if it is not corrupt it is
> a force rebuild? Or am I missing a use case for !corrupt &&
> !force_rebuild?
Hmmmm. You're right, I think that should merely be !corrupt.
I was trying to be cautious by checking FORCE_REBUILD, but there are
other ways to end up in repair -- if something sets PREEN, for example.
That won't happen for symbolic links (at least not today) but I could
also not leave such a logic bomb. :)
> > /*
> > * Change an empty target into a dummy target and clear the symlink
> > * target zapped flag.
> > */
> > if (target_buf[0] == 0) {
> > sc->sick_mask |= XFS_SICK_INO_SYMLINK_ZAPPED;
> > sprintf(target_buf, DUMMY_TARGET);
> > }
> >
> > Can we allow that without risking truncation making the symlink point to
> > some unintended place?
>
> I can't think of anything that would truncated it, what do you have in
> mind?
I think the answer to my question is "No".
If scrub (or the regular verifiers) hit anything, then we end up in
symlink_repair.c with CORRUPT set. In this case we set the target to
DUMMY_TARGET.
If the salvage functions recover fewer bytes than i_disk_size, then
we'll set the target to DUMMY_TARGET because that could lead to things
like:
0. touch autoexec autoexec@bat
1. ln -s 'autoexec@bat' victimlink
2. corrupt victimlink by s/@/\0/g' on the target
3. repair salvages the target and ends up with 'autoexec'
Alternately:
0. touch autoexec autoexec@bat
1. ln -s 'autoexec@bat' victimlink
2. corrupt victimlink by incrementing di_size (it's now 13)
3. repair salvages the target and ends up with "autoexec@bat\0"
In both of those cases, something's inconsistent between the buffer
contents and di_size. There aren't supposed to be nulls in the target,
but whatever might have been in that byte originally is long gone. The
only thing to do here is replace it with DUMMY_TARGET.
If salvage recovers more bytes than i_disk_size then we have no idea if
di_size was broken or not because the target isn't null-terminated.
In theory the kernel will never do this (because it zeroes the xfs_buf
contents in xfs_trans_buf_get) but fuzzers could do that.
So yeah, I think the salvage code should be:
buflen = 0;
if (!(sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)) {
if (sc->ip->i_df.if_format == XFS_DINODE_FMT_LOCAL)
buflen = xrep_symlink_salvage_inline(sc);
else
buflen = xrep_symlink_salvage_remote(sc);
if (buflen < 0)
return buflen;
/*
* NULL-terminate the buffer because the ondisk target does not
* do that for us. If salvage didn't find the exact amount of
* data that we expected to find, don't salvage anything.
*/
target_buf[buflen] = 0;
if (strlen(target_buf) != sc->ip->i_disk_size)
buflen = 0;
}
/*
* Change an empty target into a dummy target and clear the symlink
* target zapped flag.
*/
if (buflen == 0) {
sc->sick_mask |= XFS_SICK_INO_SYMLINK_ZAPPED;
sprintf(target_buf, DUMMY_TARGET);
}
--D
