Re: [f2fs-dev] [PATCH] f2fs: avoid utf8_strncasecmp() with unstable name

Sat, 30 May 2020 08:09:04 -0700 

On 05/29, Eric Biggers wrote:
> From: Eric Biggers <ebigg...@google.com>
> 
> If the dentry name passed to ->d_compare() fits in dentry::d_iname, then
> it may be concurrently modified by a rename.  This can cause undefined
> behavior (possibly out-of-bounds memory accesses or crashes) in
> utf8_strncasecmp(), since fs/unicode/ isn't written to handle strings
> that may be concurrently modified.
> 
> Fix this by first copying the filename to a stack buffer if needed.
> This way we get a stable snapshot of the filename.
> 
> Fixes: 2c2eb7a300cd ("f2fs: Support case-insensitive file name lookups")
> Cc: <sta...@vger.kernel.org> # v5.4+
> Cc: Al Viro <v...@zeniv.linux.org.uk>
> Cc: Daniel Rosenberg <dro...@google.com>
> Cc: Gabriel Krisman Bertazi <kris...@collabora.co.uk>
> Signed-off-by: Eric Biggers <ebigg...@google.com>

Acked-by: Jaegeuk Kim <jaeg...@kernel.org>

> ---
>  fs/f2fs/dir.c | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
> 
> diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
> index 44bfc464df787..5c179b72eb8a8 100644
> --- a/fs/f2fs/dir.c
> +++ b/fs/f2fs/dir.c
> @@ -1083,6 +1083,7 @@ static int f2fs_d_compare(const struct dentry *dentry, 
> unsigned int len,
>       struct qstr qstr = {.name = str, .len = len };
>       const struct dentry *parent = READ_ONCE(dentry->d_parent);
>       const struct inode *inode = READ_ONCE(parent->d_inode);
> +     char strbuf[DNAME_INLINE_LEN];
>  
>       if (!inode || !IS_CASEFOLDED(inode)) {
>               if (len != name->len)
> @@ -1090,6 +1091,22 @@ static int f2fs_d_compare(const struct dentry *dentry, 
> unsigned int len,
>               return memcmp(str, name->name, len);
>       }
>  
> +     /*
> +      * If the dentry name is stored in-line, then it may be concurrently
> +      * modified by a rename.  If this happens, the VFS will eventually retry
> +      * the lookup, so it doesn't matter what ->d_compare() returns.
> +      * However, it's unsafe to call utf8_strncasecmp() with an unstable
> +      * string.  Therefore, we have to copy the name into a temporary buffer.
> +      */
> +     if (len <= DNAME_INLINE_LEN - 1) {
> +             unsigned int i;
> +
> +             for (i = 0; i < len; i++)
> +                     strbuf[i] = READ_ONCE(str[i]);
> +             strbuf[len] = 0;
> +             qstr.name = strbuf;
> +     }
> +
>       return f2fs_ci_compare(inode, name, &qstr, false);
>  }
>  
> -- 
> 2.26.2


_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

Reply via email to