[V2] xfs: fix boundary test in xfs_attr_shortform_verify

Commit Message

Eric Sandeen Aug. 26, 2020, 4:19 p.m. UTC

The boundary test for the fixed-offset parts of xfs_attr_sf_entry in
xfs_attr_shortform_verify is off by one, because the variable array
at the end is defined as nameval[1] not nameval[].
Hence we need to subtract 1 from the calculation.

This can be shown by:

# touch file
# setfattr -n root.a file

and verifications will fail when it's written to disk.

This only matters for a last attribute which has a single-byte name
and no value, otherwise the combination of namelen & valuelen will
push endp further out and this test won't fail.

Fixes: 1e1bbd8e7ee06 ("xfs: create structure verifier function for shortform xattrs")
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
---

V2: Add whitespace and comments, tweak commit log.

Note: as Darrick points out, this should be made consistent w/ the dir2 arrays
by making the nameval variable size array [] not [1], and then we can lose all
the -1 magic sprinkled around.  At that time we should probably also make the
macros into proper functions, as was done for dir2.

For now, this is just the least invasive fixup for the problem at hand.

Comments

Darrick J. Wong Aug. 26, 2020, 4:44 p.m. UTC | #1

On Wed, Aug 26, 2020 at 11:19:54AM -0500, Eric Sandeen wrote:
> The boundary test for the fixed-offset parts of xfs_attr_sf_entry in
> xfs_attr_shortform_verify is off by one, because the variable array
> at the end is defined as nameval[1] not nameval[].
> Hence we need to subtract 1 from the calculation.
> 
> This can be shown by:
> 
> # touch file
> # setfattr -n root.a file
> 
> and verifications will fail when it's written to disk.
> 
> This only matters for a last attribute which has a single-byte name
> and no value, otherwise the combination of namelen & valuelen will
> push endp further out and this test won't fail.
> 
> Fixes: 1e1bbd8e7ee06 ("xfs: create structure verifier function for shortform xattrs")
> Signed-off-by: Eric Sandeen <sandeen@redhat.com>

Looks ok.

From whom should I be expecting a test case?

Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>

--D

> ---
> 
> V2: Add whitespace and comments, tweak commit log.
> 
> Note: as Darrick points out, this should be made consistent w/ the dir2 arrays
> by making the nameval variable size array [] not [1], and then we can lose all
> the -1 magic sprinkled around.  At that time we should probably also make the
> macros into proper functions, as was done for dir2.
> 
> For now, this is just the least invasive fixup for the problem at hand.
> 
> diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
> index 8623c815164a..383b08f2ac61 100644
> --- a/fs/xfs/libxfs/xfs_attr_leaf.c
> +++ b/fs/xfs/libxfs/xfs_attr_leaf.c
> @@ -1036,8 +1036,10 @@ xfs_attr_shortform_verify(
>  		 * struct xfs_attr_sf_entry has a variable length.
>  		 * Check the fixed-offset parts of the structure are
>  		 * within the data buffer.
> +		 * xfs_attr_sf_entry is defined with a 1-byte variable
> +		 * array at the end, so we must subtract that off.
>  		 */
> -		if (((char *)sfep + sizeof(*sfep)) >= endp)
> +		if (((char *)sfep + sizeof(*sfep) - 1) >= endp)
>  			return __this_address;
>  
>  		/* Don't allow names with known bad length. */
>

Eric Sandeen Aug. 26, 2020, 5:07 p.m. UTC | #2

On 8/26/20 11:44 AM, Darrick J. Wong wrote:
> On Wed, Aug 26, 2020 at 11:19:54AM -0500, Eric Sandeen wrote:
>> The boundary test for the fixed-offset parts of xfs_attr_sf_entry in
>> xfs_attr_shortform_verify is off by one, because the variable array
>> at the end is defined as nameval[1] not nameval[].
>> Hence we need to subtract 1 from the calculation.
>>
>> This can be shown by:
>>
>> # touch file
>> # setfattr -n root.a file
>>
>> and verifications will fail when it's written to disk.
>>
>> This only matters for a last attribute which has a single-byte name
>> and no value, otherwise the combination of namelen & valuelen will
>> push endp further out and this test won't fail.
>>
>> Fixes: 1e1bbd8e7ee06 ("xfs: create structure verifier function for shortform xattrs")
>> Signed-off-by: Eric Sandeen <sandeen@redhat.com>
> 
> Looks ok.

thanks
 
> From whom should I be expecting a test case?

from me or a TBD delegate.  Will follow up soon.

-Eric

> Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>

Christoph Hellwig Aug. 27, 2020, 8:12 a.m. UTC | #3

Looks good,

Reviewed-by: Christoph Hellwig <hch@lst.de>

Can you follow up with the struct definition fix ASAP?

Eric Sandeen Aug. 27, 2020, 1:43 p.m. UTC | #4

On 8/27/20 3:12 AM, Christoph Hellwig wrote:
> Looks good,
> 
> Reviewed-by: Christoph Hellwig <hch@lst.de>
> 
> Can you follow up with the struct definition fix ASAP?

Working on delegating that task, yes.

-Eric

Pavel Reichl Sept. 1, 2020, 12:59 p.m. UTC | #5

> From whom should I be expecting a test case?
Hi,

I took the task, I hope it will be done soon - I'll do my best.

Pavel

Patch

diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
index 8623c815164a..383b08f2ac61 100644
--- a/fs/xfs/libxfs/xfs_attr_leaf.c
+++ b/fs/xfs/libxfs/xfs_attr_leaf.c
@@ -1036,8 +1036,10 @@  xfs_attr_shortform_verify(
 		 * struct xfs_attr_sf_entry has a variable length.
 		 * Check the fixed-offset parts of the structure are
 		 * within the data buffer.
+		 * xfs_attr_sf_entry is defined with a 1-byte variable
+		 * array at the end, so we must subtract that off.
 		 */
-		if (((char *)sfep + sizeof(*sfep)) >= endp)
+		if (((char *)sfep + sizeof(*sfep) - 1) >= endp)
 			return __this_address;
 
 		/* Don't allow names with known bad length. */