On Fri, 21 Jul 2006 16:39:32 +1000
Neil Brown <[email protected]> wrote:
> Avoid triggering ext3_error on bad NFS file handle
>
> The inode number out of an NFS file handle gets passed
> eventually to ext3_get_inode_block without any checking.
> If ext3_get_inode_block allows it to trigger a error,
> then bad filehandles can have unpleasant effect.
>
> So remove the call to ext3_error there and put a matching
> check in ext3/namei.c where inode numbers are read of storage.
>
There are strange things happening in here.
> +static inline int ext3_valid_inum(struct super_block *sb, unsigned long ino)
> +{
> + return ino == EXT3_ROOT_INO ||
> + ino == EXT3_JOURNAL_INO ||
> + ino == EXT3_RESIZE_INO ||
> + (ino > EXT3_FIRST_INO(sb) &&
> + ino <= le32_to_cpu(EXT3_SB(sb)->s_es->s_inodes_count));
> +}
One would expect the inode validity test to be
(ino >= EXT3_FIRST_INO(sb)) && (ino < ...->s_inodes_count))
but even this assumes that s_inodes_count is misnamed and really should be
called s_last_inode_plus_one. If it is not misnamed then the validity test
should be
(ino >= EXT3_FIRST_INO(sb)) &&
(ino < EXT3_FIRST_INO(sb) + ...->s_inodes_count))
Look through the filesystem for other uses of EXT3_FIRST_INO(). It's all
rather fishily inconsistent.
Ted, Andreas: do you think we could come up with statements describing
exactly what the values in EXT3_FIRST_INO() and in ->s_inodes_count
represent? Thanks.
Also Neil, I wonder whether this patch of yours still permits NFS clients
to access the journal and resize inodes in undesirable ways?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
