Re: [PATCH 10/20] ext4: get rid of ppath in ext4_ext_create_new_leaf()

[Baokun Li]

On 2024/8/2 15:34, Ojaswin Mujoo wrote:
> On Wed, Jul 10, 2024 at 12:06:44PM +0800, libaokun@xxxxxxxxxxxxxxx wrote:
> > From: Baokun Li <libaokun1@xxxxxxxxxx>
> >
> > The use of path and ppath is now very confusing, so to make the code more
> > readable, pass path between functions uniformly, and get rid of ppath.
> >
> > To get rid of the ppath in ext4_ext_create_new_leaf(), the following is
> > done here:
> >
> >   * Free the extents path when an error is encountered.
> >   * Its caller needs to update ppath if it uses ppath.
> >
> > No functional changes.
> >
> > Signed-off-by: Baokun Li <libaokun1@xxxxxxxxxx>
> Hi Baokun,
Hey Ojaswin,
> The changes look good to me, feel free to add:
>
> Reviewed-by: Ojaswin Mujoo <ojaswin@xxxxxxxxxxxxx>
Thank you very much for your review!
> That being said, IIUC i think this patchset also fixes a potential UAF
> bug. Below is a sample trace with dummy values:
>
> ext4_ext_insert_extent
>    path = *ppath = 2000
>    ext4_ext_create_new_leaf(ppath)
>      path = *ppath = 2000
>      ext4_find_extent(path = 2000)
>        if (depth > path[0].p_maxdepth)
>              kfree(path = 2000);
>              path = NULL;
>        path = kcalloc() = 3000
>        ...
>        return path;
>    path = 3000
>    *ppath = 3000;
>    return;
> /* here path is still 2000 *, UAF! */
> eh = path[depth].p_hdr
>
> I'm not completely sure if we can hit (depth > path[0].p_maxdepth) in the
> above codepath but I think the flow is still a bit fragile. Maybe this
> should be fixed in a separate patch first. What do you think?
>
> Regards,
> ojaswin
Nice catch!

This is indeed a potential UAF issue, and while it seems hard to
trigger (depth > path[0].p_maxdepth), it does deserve a separate
patch, and I'll be adding a separate quick fix for this in the next version.

Regards,
Baokun