Re: Bad ext3/nfs DoS bug

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 21 Jul 2006 16:39:32 +1000
Neil Brown <[email protected]> wrote:

> Avoid triggering ext3_error on bad NFS file handle
> 
> The inode number out of an NFS file handle gets passed 
> eventually to ext3_get_inode_block without any checking.
> If ext3_get_inode_block allows it to trigger a error,
> then bad filehandles can have unpleasant effect.
> 
> So remove the call to ext3_error there and put a matching
> check in ext3/namei.c where inode numbers are read of storage.
> 

There are strange things happening in here.

> +static inline int ext3_valid_inum(struct super_block *sb, unsigned long ino)
> +{
> +	return ino == EXT3_ROOT_INO ||
> +		ino == EXT3_JOURNAL_INO ||
> +		ino == EXT3_RESIZE_INO ||
> +		(ino > EXT3_FIRST_INO(sb) &&
> +		 ino <= le32_to_cpu(EXT3_SB(sb)->s_es->s_inodes_count));
> +}

One would expect the inode validity test to be

	(ino >= EXT3_FIRST_INO(sb)) && (ino < ...->s_inodes_count))

but even this assumes that s_inodes_count is misnamed and really should be
called s_last_inode_plus_one.  If it is not misnamed then the validity test
should be

	(ino >= EXT3_FIRST_INO(sb)) &&
		(ino < EXT3_FIRST_INO(sb) + ...->s_inodes_count))

Look through the filesystem for other uses of EXT3_FIRST_INO().  It's all
rather fishily inconsistent.

Ted, Andreas: do you think we could come up with statements describing
exactly what the values in EXT3_FIRST_INO() and in ->s_inodes_count
represent?  Thanks.


Also Neil, I wonder whether this patch of yours still permits NFS clients
to access the journal and resize inodes in undesirable ways?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux