From patchwork Mon Jul 8 05:14:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qu Wenruo X-Patchwork-Id: 13726168 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 64D0F14A8F for ; Mon, 8 Jul 2024 05:14:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720415686; cv=none; b=XwIHBzSaqitdlsmYxpeTDf2YLppW/ckSqE0qsR0OP3YqcGfcEDPN+38qZ3dSNvDABEfu54wqJq87wbWo50SqyAF39Y5Ii4zaXpyeXWXlsE8d3qmVXmwKCngd9rgi9VK3r/GFJ1wxOrmX/BbP9syp/YwcGPUwAmCdJdijGF2keDs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720415686; c=relaxed/simple; bh=+xZk9Jeh0ny0/XZcmvsNVIzml6XsMudIriE4xvuObkQ=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=CT0zN2Zg4ABF7No5QIeSX+7SB3b2BrvUQNJs5yfgPhvJP/sMwOnCoC9dSK5GA88CsHyLI+DXFEbt36EKf82fjE7TN2Ms5w5X/02oZzhCu9OEyK1BKD6CzV7qgtpJMdao/inYxn34DyzJpK1Vj5JnsvNGFxNElGqgVq0iUTPoxhg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=bHN/sYmQ; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=bHN/sYmQ; arc=none smtp.client-ip=195.135.223.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="bHN/sYmQ"; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="bHN/sYmQ" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 9A55A219DE for ; Mon, 8 Jul 2024 05:14:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1720415682; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pEomUY7EA/AKConWTE1BA8iU5+YPujwJNjXr2qbA40U=; b=bHN/sYmQLG3vsAenTJdBDeEr5YU7+rMLTji9fB+YsJVQ8iPTp212Ts0Y2/qPeBUkcEJIyR RzOeU/HJTiNwIhdopjbG3GJG/EnQGCUJAIHZ991zqCjfJDV2SDZNolwbW6zuFWoQXm4eIu XLzZx2tVjVmPdtWLuUO860Eg3YSAjAw= Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1720415682; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pEomUY7EA/AKConWTE1BA8iU5+YPujwJNjXr2qbA40U=; b=bHN/sYmQLG3vsAenTJdBDeEr5YU7+rMLTji9fB+YsJVQ8iPTp212Ts0Y2/qPeBUkcEJIyR RzOeU/HJTiNwIhdopjbG3GJG/EnQGCUJAIHZ991zqCjfJDV2SDZNolwbW6zuFWoQXm4eIu XLzZx2tVjVmPdtWLuUO860Eg3YSAjAw= Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id B9E4A1396E for ; Mon, 8 Jul 2024 05:14:41 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id oBN7HMF1i2YbZwAAD6G6ig (envelope-from ) for ; Mon, 08 Jul 2024 05:14:41 +0000 From: Qu Wenruo To: linux-btrfs@vger.kernel.org Subject: [PATCH 1/4] btrfs-progs: add warning for -s option of btrfs-image Date: Mon, 8 Jul 2024 14:44:15 +0930 Message-ID: <8496042fa1f667dc3ff479170c60d57b1646266f.1720415116.git.wqu@suse.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-btrfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spamd-Result: default: False [-1.66 / 50.00]; BAYES_HAM(-1.86)[94.18%]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_CONTAINS_FROM(1.00)[]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[linux-btrfs@vger.kernel.org]; RCVD_TLS_ALL(0.00)[] X-Spam-Flag: NO X-Spam-Score: -1.66 X-Spam-Level: The filename sanitization is not recommended as it introduces mismatches between DIR_ITEM and INODE_REF. Even hash confliction mode (double "-s" option) is not ensured to always find a conflict, and when failed to find a conflict, a mismatch would happen. And when a mismatch happens, the kernel will not resolve the path correctly since kernel uses the hash from DIR_ITEM to lookup the child inode. So add a warning into the "-s" option of btrfs-image. Signed-off-by: Qu Wenruo --- Documentation/btrfs-image.rst | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/Documentation/btrfs-image.rst b/Documentation/btrfs-image.rst index a63b0da273c5..febbf3877c82 100644 --- a/Documentation/btrfs-image.rst +++ b/Documentation/btrfs-image.rst @@ -37,13 +37,16 @@ OPTIONS file system will not be able to be mounted. -s - Sanitize the file names when generating the image. One -s means just - generate random garbage, which means that the directory indexes won't match up - since the hashes won't match with the garbage filenames. Using *-s* will - calculate a collision for the filename so that the hashes match, and if it - can't calculate a collision then it will just generate garbage. The collision - calculator is very time and CPU intensive so only use it if you are having - problems with your file system tree and need to have it mostly working. + Sanitize the file names when generating the image. + Not recommended as this would introduce new hash mismatch, thus if your + problem involves subvolume tress, it can even mask the existing problems. + + One *-s* means just generate random garbage, which means that the + directory hash won't match up its filenames. + Using two *-s* will calculate a collision for the filename so that the + hashes match, and if it can't calculate a collision then it will just + generate garbage. The collision calculator is very time and CPU + intensive. -w Walk all the trees manually and copy any blocks that are referenced. Use this From patchwork Mon Jul 8 05:14:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Qu Wenruo X-Patchwork-Id: 13726169 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3CE8AB66F for ; Mon, 8 Jul 2024 05:14:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720415688; cv=none; b=g63F4n83GcEc2kEV8Sim7LEus/vbqcAtGUa3606weXOl2RlgwzYb8WeykJkCFH8NkHpe1Kyi5POzbsUDZxscyRp5mReGTksaweBjNqnRYAl7UD3Sl4q2NCkmIQKyWavlwgo4LEsyLkHPpdSlsQH/yIFDUX4geBKNRoeYIw9V5mo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720415688; c=relaxed/simple; bh=gC6Vv+CfFZJZn5DPeeaYpKHkfCkbVY46X9rAB6RqR4c=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=tzQaS1HvGng/U980QNn8yXo33n3HK3AXLcnwcnDQ5ZOJWo1UNAosajLBdiW7hgTYf9IibE0uT7wrx7oTt77NwdSkooDkUbqMqD5o8MLsK95ePL3BCiKSulP+dEbvYoMrNkwIptXMkcpwex776tsWfqPrhXG2jetaivvNbelgOTg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=B6zGeMCN; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=B6zGeMCN; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="B6zGeMCN"; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="B6zGeMCN" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 5D2361FBDE; Mon, 8 Jul 2024 05:14:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1720415684; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rGmR9WiQSYTeidQEcStvt/brLxl8HzWeYogUS42fGzA=; b=B6zGeMCN5FgLimglgPC5eQ9dLt0tSD1OCNQbp1CE4ZySOHLUO7hzdbtPeR3ikd+rWfLY22 VvVmAmJ3q9K4heGnVY9d3dBGZT48WS+1hSoPA18MDK53kWsMi2ZGCJjcvQ6igWboweGmXk PSOnjQ3RlnkYEBfMPIQSgLx0aiUmVwE= Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1720415684; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rGmR9WiQSYTeidQEcStvt/brLxl8HzWeYogUS42fGzA=; b=B6zGeMCN5FgLimglgPC5eQ9dLt0tSD1OCNQbp1CE4ZySOHLUO7hzdbtPeR3ikd+rWfLY22 VvVmAmJ3q9K4heGnVY9d3dBGZT48WS+1hSoPA18MDK53kWsMi2ZGCJjcvQ6igWboweGmXk PSOnjQ3RlnkYEBfMPIQSgLx0aiUmVwE= Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 2CD101396E; Mon, 8 Jul 2024 05:14:42 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 8PiGNcJ1i2YbZwAAD6G6ig (envelope-from ); Mon, 08 Jul 2024 05:14:42 +0000 From: Qu Wenruo To: linux-btrfs@vger.kernel.org Cc: Andrea Gelmini Subject: [PATCH 2/4] btrfs-progs: image: fix the bug that filename sanitization not working Date: Mon, 8 Jul 2024 14:44:16 +0930 Message-ID: <697356d9b33836d8c8ced54195b463866ced4297.1720415116.git.wqu@suse.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-btrfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Score: -3.30 X-Spam-Level: X-Spam-Flag: NO X-Spamd-Result: default: False [-3.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; ARC_NA(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; TAGGED_RCPT(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; FREEMAIL_ENVRCPT(0.00)[gmail.com]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; FROM_HAS_DN(0.00)[]; FREEMAIL_CC(0.00)[gmail.com]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FUZZY_BLOCKED(0.00)[rspamd.com]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email] [BUG] There is a bug report that image dump taken by "btrfs-image -s" doesn't really sanitize the filenames: # truncates -s 1G source.raw # mkfs.btrfs -f source.raw # mount source.raw $mnt # touch $mnt/top_secret_filename # touch $mnt/secret_filename # umount $mnt # btrfs-image -s source.raw dump.img # string dump.img | grep filename top_secret_filename secret_filename top_secret_filename secret_filename top_secret_filename [CAUSE] Using above image to store the fs, and we got the following result in fs tree: item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 generation 3 transid 7 size 68 nbytes 16384 block group 0 mode 40755 links 1 uid 0 gid 0 rdev 0 sequence 2 flags 0x0(none) item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12 index 0 namelen 2 name: .. item 2 key (256 DIR_ITEM 439756795) itemoff 16062 itemsize 49 location key (257 INODE_ITEM 0) type FILE transid 7 data_len 0 name_len 19 name: top_secret_filename item 3 key (256 DIR_ITEM 693462946) itemoff 16017 itemsize 45 location key (258 INODE_ITEM 0) type FILE transid 7 data_len 0 name_len 15 name: secret_filename item 4 key (256 DIR_INDEX 2) itemoff 15968 itemsize 49 location key (257 INODE_ITEM 0) type FILE transid 7 data_len 0 name_len 19 name: top_secret_filename item 5 key (256 DIR_INDEX 3) itemoff 15923 itemsize 45 location key (258 INODE_ITEM 0) type FILE transid 7 data_len 0 name_len 15 name: secret_filename item 6 key (257 INODE_ITEM 0) itemoff 15763 itemsize 160 generation 7 transid 7 size 0 nbytes 0 block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0 sequence 1 flags 0x0(none) item 7 key (257 INODE_REF 256) itemoff 15734 itemsize 29 index 2 namelen 19 name: top_secret_filename item 8 key (258 INODE_ITEM 0) itemoff 15574 itemsize 160 generation 7 transid 7 size 0 nbytes 0 block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0 sequence 1 flags 0x0(none) item 9 key (258 INODE_REF 256) itemoff 15549 itemsize 25 index 3 namelen 15 name: 1���'�gc*&R The result shows, only the last INODE_REF got sanitized, all the remaining is not touched at all. This is cauesd by how we sanitize the filenames: copy_buffer() |- memcpy(dst, src->data, src->len); | This means we copy the whole eb into our buffer already. | |- zero_items() |- sanitize_name() |- eb = alloc_dummy_eb(); |- memcpy(eb->data, src->data, src->len); | This means we generate a dummy eb with the same contents of | the source eb. | |- sanitize_dir_item(); | We override the dir item of the given item (specified by the | slot number) inside our dummy eb. | |- memcpy(dst, eb->data, eb->lem); The last one copy the dummy eb into our buffer, with only the slot corrupted. But when the whole work flow hits the next slot, we only corrupt the next slot, but still copy the whole dummy eb back to buffer. This means the previous slot would be overwritten by the old unsanitized data. Resulting only the last slot is corrupted. [FIX] Fix the bug by only copying back the corrupted item to the buffer. So that other slots won't be overwritten by unsanitized data. Reported-by: Andrea Gelmini Signed-off-by: Qu Wenruo --- image/sanitize.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/image/sanitize.c b/image/sanitize.c index 084da22e401e..ef4f6e515633 100644 --- a/image/sanitize.c +++ b/image/sanitize.c @@ -449,6 +449,8 @@ void sanitize_name(enum sanitize_mode sanitize, struct rb_root *name_tree, int slot) { struct extent_buffer *eb; + u32 item_ptr_off = btrfs_item_ptr_offset(src, slot); + u32 item_ptr_size = btrfs_item_size(src, slot); eb = alloc_dummy_eb(src->start, src->len); if (!eb) { @@ -476,7 +478,11 @@ void sanitize_name(enum sanitize_mode sanitize, struct rb_root *name_tree, break; } - memcpy(dst, eb->data, eb->len); + /* + * Only overwrite the sanitized part, or we can overwrite previous + * sanitized value with the old values from @src. + */ + memcpy(dst + item_ptr_off, eb->data + item_ptr_off, item_ptr_size); free(eb); } From patchwork Mon Jul 8 05:14:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Qu Wenruo X-Patchwork-Id: 13726170 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8067710A3D for ; Mon, 8 Jul 2024 05:14:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720415689; cv=none; b=Kqq5RcYK8UPfDr0PG8b5MD1ZEKRAPbA1nIqEqc1MSqURwUKJLX2QSVoiVOIar5D+mcnAjaoQiYlJRWwrY6xuOarW8tDsjO4x4NvBfy0pIAbzQKDlg+eY2sLExJJyQSD6c941aPr0UhNgEMnYlN7COJ2z05TVGAdK5G1pzNQVnlc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720415689; c=relaxed/simple; bh=vsffEgL9/FKvxkMmK77ajFylh2WS00aSY+AzesMAaGY=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=tGosoc9LuaKjtV5gKDsGbRuv7717WdCoI0XrL5nT0N6cEMJnMwFooKjUA4dy6ftXgWBIwnUfmRAC5bH42VCQv7RjMaV8EGc3OF6MMGpTdmcomFAVWllGYgLvQUd7A+owtu14p5YxDaKMzEh2KE5DwJnK3O3F0L9hvUkzPpwZDvI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=TFNT+ZII; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=TFNT+ZII; arc=none smtp.client-ip=195.135.223.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="TFNT+ZII"; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="TFNT+ZII" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id B90DD219E0 for ; Mon, 8 Jul 2024 05:14:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1720415685; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mDa2zMOUlm99ep0ANXN4C1mAyqVY0s/zIVC0uOjxICs=; b=TFNT+ZIIZeh2/P2c/NLQCQ36L4snGPrDC6eAkAkQaOKXflQWwklblCsFsSSt7owo2443HW fvrCTgN1bmMtqBLVejTehE82js4uDb7P5nek4GeBunxn6/Uxe6MyT8QYlsXCTPID5E+2hL 7u1r/93uW0S3/94HUzQt1abi2R2va98= Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1720415685; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mDa2zMOUlm99ep0ANXN4C1mAyqVY0s/zIVC0uOjxICs=; b=TFNT+ZIIZeh2/P2c/NLQCQ36L4snGPrDC6eAkAkQaOKXflQWwklblCsFsSSt7owo2443HW fvrCTgN1bmMtqBLVejTehE82js4uDb7P5nek4GeBunxn6/Uxe6MyT8QYlsXCTPID5E+2hL 7u1r/93uW0S3/94HUzQt1abi2R2va98= Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id D80C21396E for ; Mon, 8 Jul 2024 05:14:44 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id cHrTI8R1i2YbZwAAD6G6ig (envelope-from ) for ; Mon, 08 Jul 2024 05:14:44 +0000 From: Qu Wenruo To: linux-btrfs@vger.kernel.org Subject: [PATCH 3/4] btrfs-progs: fix rand_range() Date: Mon, 8 Jul 2024 14:44:17 +0930 Message-ID: X-Mailer: git-send-email 2.45.2 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-btrfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spamd-Result: default: False [-2.73 / 50.00]; BAYES_HAM(-2.43)[97.39%]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; PREVIOUSLY_DELIVERED(0.00)[linux-btrfs@vger.kernel.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email] X-Spam-Flag: NO X-Spam-Score: -2.73 X-Spam-Level: [BUG] Btrfs-image with "-s" option is not properly genearting the desired range [33, 126], thus even with the filename sanitization fixed, it's still generate filenames beyond ASCII ranges: item 9 key (258 INODE_REF 256) itemoff 15549 itemsize 25 index 3 namelen 15 name: 1���'�gc*&R [CAUSE] It's the function rand_range() return value larger than the specified @upper. The cause is in the timing when we trim the value down to 32 bits: return (unsigned int)(jrand48(rand_seed) % upper); Unlike the name, jrand48() generate uniformly distrbuted value between [-2^31, 2^31 - 1], which is the full range of s32. And the result of a modulus operation with a minus input is still minus. Thus even if we later convert it to unsigned int, the minus value is much larger than @upper and caused the problem. [FIX] Convert the value to unsigned int first, then do the modulus operation. Furthermore to prevent the problem from happening again, add a new UASSERT() to make sure the result is indeed smaller than @upper. Signed-off-by: Qu Wenruo --- common/utils.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/common/utils.c b/common/utils.c index 3ca7cff396fe..8f6556b345e8 100644 --- a/common/utils.c +++ b/common/utils.c @@ -922,12 +922,12 @@ u32 rand_u32(void) /* Return random number in range [0, upper) */ unsigned int rand_range(unsigned int upper) { + int ret; + __init_seed(); - /* - * Use the full 48bits to mod, which would be more uniformly - * distributed - */ - return (unsigned int)(jrand48(rand_seed) % upper); + ret = (unsigned int)(jrand48(rand_seed)) % upper; + UASSERT(ret < upper); + return ret; } int rand_int(void) From patchwork Mon Jul 8 05:14:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qu Wenruo X-Patchwork-Id: 13726171 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D67CD1173F for ; Mon, 8 Jul 2024 05:14:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720415690; cv=none; b=EAwgEQcCL0gKksIAe2JdfgizMWbLyPpCt043YxjOf4g2MaZ0xr+7B/H1Gj2TB4rkWXadm158JfJZnA9URkD2/h8yOtBbHT7z/QPUxRmo1QN4R99AYyRWvn+bOBw1DWXdwTqgqXRu1gKdQ84/aHjX1fT6+PGcC3Nv3ZAeh6ShI+k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720415690; c=relaxed/simple; bh=da+KXIXZbQllWE3f0ELpNROhWiC1KFx810/X3no8TRM=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=aWW93NS+caGOcSbMCCBjKlRWEJdqR5zBajp7i5ncOYrnEUhmKx7qHG5lhyiEPSN8sL/P4+JGKQVJMa69FoLfPHZzlLDb6JmdceyKhZMLGL+tuOl/7rFrn2446QTzbA2dQ9h6gokpgrt8kiJZhr3sZ+REi4lioUu/ILKtlUd/JA0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=LL0ZGuSy; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=LL0ZGuSy; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="LL0ZGuSy"; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="LL0ZGuSy" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 2AA6F1FBED for ; Mon, 8 Jul 2024 05:14:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1720415687; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XXZ0ZlCaPmvdWH6ayv8ca/MtUcffQe7jjhXtJIygt/o=; b=LL0ZGuSyea+9S1knFSjzAbUfZaCsGgmfmGplBIjE9olNxjAyK2MjkocsIzQWDe+nG0baHR m47JIp17KDkmm/DAztkQiOYYABQFHCx4l9Aoe6K/beS2UhLdyyTKpNF3ds6aho06SZpng2 u8u7N7fGFG1sX7+Ir7Hf1v7SybIWaxo= Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1720415687; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XXZ0ZlCaPmvdWH6ayv8ca/MtUcffQe7jjhXtJIygt/o=; b=LL0ZGuSyea+9S1knFSjzAbUfZaCsGgmfmGplBIjE9olNxjAyK2MjkocsIzQWDe+nG0baHR m47JIp17KDkmm/DAztkQiOYYABQFHCx4l9Aoe6K/beS2UhLdyyTKpNF3ds6aho06SZpng2 u8u7N7fGFG1sX7+Ir7Hf1v7SybIWaxo= Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 49D961396E for ; Mon, 8 Jul 2024 05:14:46 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id OIMvAcZ1i2YbZwAAD6G6ig (envelope-from ) for ; Mon, 08 Jul 2024 05:14:46 +0000 From: Qu Wenruo To: linux-btrfs@vger.kernel.org Subject: [PATCH 4/4] btrfs-progs: misc-tests: add a test case for filename sanitization Date: Mon, 8 Jul 2024 14:44:18 +0930 Message-ID: <47cb2c90e2786db2830fe6ef5042f6c9b2e97278.1720415116.git.wqu@suse.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-btrfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Score: -2.80 X-Spam-Level: X-Spam-Flag: NO X-Spamd-Result: default: False [-2.80 / 50.00]; BAYES_HAM(-3.00)[99.99%]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_CONTAINS_FROM(1.00)[]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[linux-btrfs@vger.kernel.org]; RCVD_TLS_ALL(0.00)[] This test case checks: - If a regular btrfs-image dump has the unsanitized filenames - If a sanitized btrfs-image dump has filenames properly censored Signed-off-by: Qu Wenruo --- tests/misc-tests/065-image-filename/test.sh | 33 +++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100755 tests/misc-tests/065-image-filename/test.sh diff --git a/tests/misc-tests/065-image-filename/test.sh b/tests/misc-tests/065-image-filename/test.sh new file mode 100755 index 000000000000..a9567ad672ef --- /dev/null +++ b/tests/misc-tests/065-image-filename/test.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# Verify "btrfs-image -s" sanitize the filenames correctly + +source "$TEST_TOP/common" || exit +source "$TEST_TOP/common.convert" || exit + +setup_root_helper +prepare_test_dev + +tmp=$(mktemp --tmpdir btrfs-progs-image-filename.XXXXXX) + +run_check_mkfs_test_dev +run_check_mount_test_dev +run_check $SUDO_HELPER touch "$TEST_MNT/top_secret_filename" +run_check $SUDO_HELPER touch "$TEST_MNT/secret_filename" +run_check $SUDO_HELPER touch "$TEST_MNT/confidential_filename" +run_check_umount_test_dev + +run_check "$TOP/btrfs-image" "$TEST_DEV" "$tmp" +echo "strings found inside the regular dump:" >> "$RESULTS" +strings "$tmp" >> "$RESULTS" +if ! strings "$tmp" | grep -q _filename "$tmp"; then + rm -f -- "$tmp" + _fail "regular dump sanitized the filenames" +fi +run_check "$TOP/btrfs-image" -s "$TEST_DEV" "$tmp" +echo "strings found inside the sanitized dump:" >> "$RESULTS" +strings "$tmp" >> "$RESULTS" +if strings "$tmp" | grep -q _filename "$tmp"; then + rm -f -- "$tmp" + _fail "filenames not properly sanitized" +fi +rm -f -- "$tmp"