On 2019/7/26 下午4:15, Naohiro Aota wrote:
> On Fri, Jul 26, 2019 at 02:36:10PM +0800, Qu Wenruo wrote:
>>
>>
>> On 2019/7/26 下午2:13, Naohiro Aota wrote:
>>> On Fri, Jul 26, 2019 at 08:38:27AM +0300, Nikolay Borisov wrote:
>>>>
>>>>
>>>> On 26.07.19 г. 8:27 ч., Naohiro Aota wrote:
>>>>> Several functions to read/write an extent buffer check if specified
>>>>> offset
>>>>> range resides in the size of the extent buffer. However, those checks
>>>>> have
>>>>> two problems:
>>>>>
>>>>> (1) they don't catch "start == eb->len" case.
>>>>> (2) it checks offset in extent buffer against logical address using
>>>>> eb->start.
>>>>>
>>>>> Generally, eb->start is much larger than the offset, so the second
>>>>> WARN_ON
>>>>> was almost useless.
>>>>>
>>>>> Fix these problems in read_extent_buffer_to_user(),
>>>>> {memcmp,write,memzero}_extent_buffer().
>>>>>
>>>>> Signed-off-by: Naohiro Aota <naohiro.aota@xxxxxxx>
>>>>
>>>> Qu already sent similar patch:
>>>>
>>>> [PATCH v2 1/5] btrfs: extent_io: Do extra check for extent buffer read
>>>> write functions
>>>>
>>>>
>>>> He centralised the checking code, your >= fixes though should be merged
>>>> there.
>>>
>>> Oops, I missed that series. Thank you for pointing out. Then, this
>>> should be merged into Qu's version.
>>>
>>> Qu, could you pick the change from "start > eb->len" to "start >=
>>> eb->len"?
>>
>> start >= eb->len is not always invalid.
>>
>> start == eb->len while len == 0 is still valid.
>
> Correct.
>
> But then, we can even say "start > eb->len" is valid if len == 0?
>
>> Or should we also warn such bad practice?
>
> Maybe...
>
> Or how about let the callers bailing out by e.g. "if (!len) return 1;"
> in the check function?
Well, let's forgot len == 0 case and make start >= eb->len invalid.
That len == 0 is making a lot of invalid use case valid, and making the
check more complex.
Thanks,
Qu
>
> Regards,
> Naohiro
