[PATCH v2 1/6] fs/readdir: Fix filldir() and filldir64() use of user_access_begin()
Linus Torvalds
torvalds at linux-foundation.org
Thu Jan 23 07:00:31 AEDT 2020
On Wed, Jan 22, 2020 at 10:24 AM Linus Torvalds
<torvalds at linux-foundation.org> wrote:
>
> Patch looks better, but those names are horrid.
Hmm.
A bit more re-organization also allows us to do the unsafe_put_user()
unconditionally.
In particular, if we remove 'previous' as a pointer from the filldir
data structure, and replace it with 'prev_reclen', then we can do
prev_reclen = buf->prev_reclen;
dirent = buf->current_dir;
prev = (void __user *) dirent - prev_reclen;
if (!user_access_begin(prev, reclen + prev_reclen))
goto efault;
and instead of checking that 'previous' pointer for NULL, we just
check prev_reclen for not being zero.
Yes, it replaces a few other
lastdirent = buf.previous;
with the slightly more complicated
lastdirent = (void __user *)buf.current_dir - buf.prev_reclen;
but on the whole it makes the _important_ code more streamlined, and
avoids having to have those if-else cases.
Something like the attached.
COMPLETELY UNTESTED! It compiles for me. The generated assembly looks
ok from a quick look.
Christophe, does this work for you on your ppc test-case?
Side note: I think verify_dirent_name() should check that 'len' is in
the appropriate range too, because right now a corrupted filesystem is
only noticed for a zero length. But a negative one, or one where the
reclen calculations would overflow, is not noticed.
Most filesystems have the source of 'len' being something like an
'unsigned char' so that it's pretty bounded anyway, which is likely
why nobody cared when we added that check, but..
Linus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch.diff
Type: text/x-patch
Size: 5989 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/linuxppc-dev/attachments/20200122/454987e2/attachment-0001.bin>
More information about the Linuxppc-dev
mailing list