Linux-Fsdevel Archive on lore.kernel.org
help / color / mirror / Atom feed
* Re: [PATCH] exfat: Fix use after free in exfat_load_upcase_table()
@ 2020-06-08 15:07 Markus Elfring
  2020-06-08 15:52 ` Matthew Wilcox
                   ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Markus Elfring @ 2020-06-08 15:07 UTC (permalink / raw)
  To: Dan Carpenter, linux-fsdevel
  Cc: kernel-janitors, linux-kernel, Namjae Jeon, Sungjong Seo,
	Tetsuhiro Kohada

> This code calls brelse(bh) and then dereferences "bh" on the next line
> resulting in a possible use after free.

There is an unfortunate function call sequence.


> The brelse() should just be moved down a line.

How do you think about a wording variant like the following?

   Thus move a call of the function “brelse” one line down.


Would you like to omit a word from the patch subject so that
a typo will be avoided there?

Regards,
Markus

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] exfat: Fix use after free in exfat_load_upcase_table()
  2020-06-08 15:07 [PATCH] exfat: Fix use after free in exfat_load_upcase_table() Markus Elfring
@ 2020-06-08 15:52 ` Matthew Wilcox
  2020-06-08 20:07   ` Markus Elfring
  2020-06-09  9:10 ` [PATCH] " Greg KH
  2020-06-10  9:27 ` exfat: Improving exception handling in two functions Markus Elfring
  2 siblings, 1 reply; 8+ messages in thread
From: Matthew Wilcox @ 2020-06-08 15:52 UTC (permalink / raw)
  To: Markus Elfring
  Cc: Dan Carpenter, linux-fsdevel, kernel-janitors, linux-kernel,
	Namjae Jeon, Sungjong Seo, Tetsuhiro Kohada

On Mon, Jun 08, 2020 at 05:07:33PM +0200, Markus Elfring wrote:
> > This code calls brelse(bh) and then dereferences "bh" on the next line
> > resulting in a possible use after free.
> 
> There is an unfortunate function call sequence.
> 
> 
> > The brelse() should just be moved down a line.
> 
> How do you think about a wording variant like the following?
> 
>    Thus move a call of the function “brelse” one line down.
> 
> 
> Would you like to omit a word from the patch subject so that
> a typo will be avoided there?

Markus, please go away.  This comment is entirely unhelpful.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: exfat: Fix use after free in exfat_load_upcase_table()
  2020-06-08 15:52 ` Matthew Wilcox
@ 2020-06-08 20:07   ` Markus Elfring
  0 siblings, 0 replies; 8+ messages in thread
From: Markus Elfring @ 2020-06-08 20:07 UTC (permalink / raw)
  To: Matthew Wilcox, Dan Carpenter, linux-fsdevel
  Cc: kernel-janitors, linux-kernel, Namjae Jeon, Sungjong Seo,
	Tetsuhiro Kohada

>>> The brelse() should just be moved down a line.
>>
>> How do you think about a wording variant like the following?
>>
>>    Thus move a call of the function “brelse” one line down.
>>
>>
>> Would you like to omit a word from the patch subject so that
>> a typo will be avoided there?
>
> Markus, please go away.  This comment is entirely unhelpful.

I hope that other contributors can get also more positive impressions
(as it happened before).

Regards,
Markus

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] exfat: Fix use after free in exfat_load_upcase_table()
  2020-06-08 15:07 [PATCH] exfat: Fix use after free in exfat_load_upcase_table() Markus Elfring
  2020-06-08 15:52 ` Matthew Wilcox
@ 2020-06-09  9:10 ` Greg KH
  2020-06-10  9:27 ` exfat: Improving exception handling in two functions Markus Elfring
  2 siblings, 0 replies; 8+ messages in thread
From: Greg KH @ 2020-06-09  9:10 UTC (permalink / raw)
  To: Markus Elfring
  Cc: Dan Carpenter, linux-fsdevel, kernel-janitors, linux-kernel,
	Namjae Jeon, Sungjong Seo, Tetsuhiro Kohada

On Mon, Jun 08, 2020 at 05:07:33PM +0200, Markus Elfring wrote:
> > This code calls brelse(bh) and then dereferences "bh" on the next line
> > resulting in a possible use after free.
> 
> There is an unfortunate function call sequence.
> 
> 
> > The brelse() should just be moved down a line.
> 
> How do you think about a wording variant like the following?
> 
>    Thus move a call of the function “brelse” one line down.
> 
> 
> Would you like to omit a word from the patch subject so that
> a typo will be avoided there?

Hi,

This is the semi-friendly patch-bot of Greg Kroah-Hartman.

Markus, you seem to have sent a nonsensical or otherwise pointless
review comment to a patch submission on a Linux kernel developer mailing
list.  I strongly suggest that you not do this anymore.  Please do not
bother developers who are actively working to produce patches and
features with comments that, in the end, are a waste of time.

Patch submitter, please ignore Markus's suggestion; you do not need to
follow it at all.  The person/bot/AI that sent it is being ignored by
almost all Linux kernel maintainers for having a persistent pattern of
behavior of producing distracting and pointless commentary, and
inability to adapt to feedback.  Please feel free to also ignore emails
from them.

thanks,

greg k-h's patch email bot

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: exfat: Improving exception handling in two functions
  2020-06-08 15:07 [PATCH] exfat: Fix use after free in exfat_load_upcase_table() Markus Elfring
  2020-06-08 15:52 ` Matthew Wilcox
  2020-06-09  9:10 ` [PATCH] " Greg KH
@ 2020-06-10  9:27 ` Markus Elfring
  2020-06-10  9:59   ` [PATCH] exfat: call brelse() on error path Dan Carpenter
                     ` (2 more replies)
  2 siblings, 3 replies; 8+ messages in thread
From: Markus Elfring @ 2020-06-10  9:27 UTC (permalink / raw)
  To: linux-fsdevel, Namjae Jeon, Sungjong Seo
  Cc: kernel-janitors, linux-kernel, Dan Carpenter, Pali Rohár,
	Tetsuhiro Kohada, Wei Yongjun

Hello,

I have taken another look at pointer usage after calls of the function “brelse”.
My source code analysis approach pointed implementation details
like the following out for further software development considerations.
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/fs/exfat/namei.c?id=3d155ae4358baf4831609c2f9cd09396a2b8badf#n1078

…
		epold = exfat_get_dentry(sb, p_dir, oldentry + 1, &old_bh,
			&sector_old);
		epnew = exfat_get_dentry(sb, p_dir, newentry + 1, &new_bh,
			&sector_new);
		if (!epold || !epnew)
			return -EIO;
…

I suggest to split such an error check.
How do you think about to release a buffer head object for the desired
exception handling if one of these function calls succeeded?

Would you like to adjust such code in the functions “exfat_rename_file”
and “exfat_move_file”?

Regards,
Markus

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH] exfat: call brelse() on error path
  2020-06-10  9:27 ` exfat: Improving exception handling in two functions Markus Elfring
@ 2020-06-10  9:59   ` Dan Carpenter
  2020-06-10 12:14   ` exfat: Improving exception handling in two functions Markus Elfring
  2020-06-10 14:53   ` Greg KH
  2 siblings, 0 replies; 8+ messages in thread
From: Dan Carpenter @ 2020-06-10  9:59 UTC (permalink / raw)
  To: Namjae Jeon, linux-fsdevel, Sungjong Seo
  Cc: kernel-janitors, linux-kernel, Pali Rohár, Tetsuhiro Kohada,
	Wei Yongjun

If the second exfat_get_dentry() call fails then we need to release
"old_bh" before returning.

Reported-by: Markus Elfring <Markus.Elfring@web.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 fs/exfat/namei.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/exfat/namei.c b/fs/exfat/namei.c
index 5b0f35329d63e..fda92c824ff11 100644
--- a/fs/exfat/namei.c
+++ b/fs/exfat/namei.c
@@ -1077,10 +1077,14 @@ static int exfat_rename_file(struct inode *inode, struct exfat_chain *p_dir,
 
 		epold = exfat_get_dentry(sb, p_dir, oldentry + 1, &old_bh,
 			&sector_old);
+		if (!epold)
+			return -EIO;
 		epnew = exfat_get_dentry(sb, p_dir, newentry + 1, &new_bh,
 			&sector_new);
-		if (!epold || !epnew)
+		if (!epnew) {
+			brelse(old_bh);
 			return -EIO;
+		}
 
 		memcpy(epnew, epold, DENTRY_SIZE);
 		exfat_update_bh(sb, new_bh, sync);
-- 
2.26.2


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: exfat: Improving exception handling in two functions
  2020-06-10  9:27 ` exfat: Improving exception handling in two functions Markus Elfring
  2020-06-10  9:59   ` [PATCH] exfat: call brelse() on error path Dan Carpenter
@ 2020-06-10 12:14   ` Markus Elfring
  2020-06-10 14:53   ` Greg KH
  2 siblings, 0 replies; 8+ messages in thread
From: Markus Elfring @ 2020-06-10 12:14 UTC (permalink / raw)
  To: linux-fsdevel, Namjae Jeon, Sungjong Seo
  Cc: kernel-janitors, linux-kernel, Dan Carpenter, Pali Rohár,
	Tetsuhiro Kohada, Wei Yongjun

> My source code analysis approach pointed implementation details
> like the following out for further software development considerations.

The clarification of corresponding collateral evolution will be continued
with the update suggestion “exfat: call brelse() on error path”.
https://lore.kernel.org/linux-fsdevel/20200610095934.GA35167@mwanda/
https://lore.kernel.org/patchwork/patch/1254515/

Regards,
Markus

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: exfat: Improving exception handling in two functions
  2020-06-10  9:27 ` exfat: Improving exception handling in two functions Markus Elfring
  2020-06-10  9:59   ` [PATCH] exfat: call brelse() on error path Dan Carpenter
  2020-06-10 12:14   ` exfat: Improving exception handling in two functions Markus Elfring
@ 2020-06-10 14:53   ` Greg KH
  2 siblings, 0 replies; 8+ messages in thread
From: Greg KH @ 2020-06-10 14:53 UTC (permalink / raw)
  To: Markus Elfring
  Cc: linux-fsdevel, Namjae Jeon, Sungjong Seo, kernel-janitors,
	linux-kernel, Dan Carpenter, Pali Rohár, Tetsuhiro Kohada,
	Wei Yongjun

On Wed, Jun 10, 2020 at 11:27:58AM +0200, Markus Elfring wrote:
> Hello,
> 
> I have taken another look at pointer usage after calls of the function “brelse”.
> My source code analysis approach pointed implementation details
> like the following out for further software development considerations.
> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/fs/exfat/namei.c?id=3d155ae4358baf4831609c2f9cd09396a2b8badf#n1078
> 
> …
> 		epold = exfat_get_dentry(sb, p_dir, oldentry + 1, &old_bh,
> 			&sector_old);
> 		epnew = exfat_get_dentry(sb, p_dir, newentry + 1, &new_bh,
> 			&sector_new);
> 		if (!epold || !epnew)
> 			return -EIO;
> …
> 
> I suggest to split such an error check.
> How do you think about to release a buffer head object for the desired
> exception handling if one of these function calls succeeded?
> 
> Would you like to adjust such code in the functions “exfat_rename_file”
> and “exfat_move_file”?
> 
> Regards,
> Markus

Hi,

This is the semi-friendly patch-bot of Greg Kroah-Hartman.

Markus, you seem to have sent a nonsensical or otherwise pointless
review comment to a patch submission on a Linux kernel developer mailing
list.  I strongly suggest that you not do this anymore.  Please do not
bother developers who are actively working to produce patches and
features with comments that, in the end, are a waste of time.

Patch submitter, please ignore Markus's suggestion; you do not need to
follow it at all.  The person/bot/AI that sent it is being ignored by
almost all Linux kernel maintainers for having a persistent pattern of
behavior of producing distracting and pointless commentary, and
inability to adapt to feedback.  Please feel free to also ignore emails
from them.

thanks,

greg k-h's patch email bot

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2020-06-10 14:53 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-08 15:07 [PATCH] exfat: Fix use after free in exfat_load_upcase_table() Markus Elfring
2020-06-08 15:52 ` Matthew Wilcox
2020-06-08 20:07   ` Markus Elfring
2020-06-09  9:10 ` [PATCH] " Greg KH
2020-06-10  9:27 ` exfat: Improving exception handling in two functions Markus Elfring
2020-06-10  9:59   ` [PATCH] exfat: call brelse() on error path Dan Carpenter
2020-06-10 12:14   ` exfat: Improving exception handling in two functions Markus Elfring
2020-06-10 14:53   ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).