[24/30] xfs_db: obfuscate dirent and parent pointer names consistently

Message ID	168506078214.3749421.36805463282468678.stgit@frogsfrogsfrogs (mailing list archive)
State	Superseded, archived
Headers	show Return-Path: <linux-xfs-owner@vger.kernel.org> Date: Thu, 25 May 2023 19:28:04 -0700 Subject: [PATCH 24/30] xfs_db: obfuscate dirent and parent pointer names consistently From: "Darrick J. Wong" <djwong@kernel.org> To: djwong@kernel.org, cem@kernel.org Cc: linux-xfs@vger.kernel.org, allison.henderson@oracle.com, catherine.hoang@oracle.com Message-ID: <168506078214.3749421.36805463282468678.stgit@frogsfrogsfrogs> In-Reply-To: <168506077876.3749421.7883085669588003826.stgit@frogsfrogsfrogs> References: <168506077876.3749421.7883085669588003826.stgit@frogsfrogsfrogs> User-Agent: StGit/0.19 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Precedence: bulk
Series	xfsprogs: Parent Pointers \| expand [PATCHSET,v12.0,00/30] xfsprogs: Parent Pointers [01/30] xfs: add parent pointer support to attribute code [02/30] xfs: define parent pointer ondisk extended attribute format [03/30] xfs: add parent pointer validator functions [04/30] xfs: extend transaction reservations for parent attributes [05/30] xfs: parent pointer attribute creation [06/30] xfs: add parent attributes to link [07/30] xfs: add parent attributes to symlink [08/30] xfs: remove parent pointers in unlink [09/30] xfs: Add parent pointers to rename [10/30] xfs: pass the attr value to put_listent when possible [11/30] xfs: Add parent pointer ioctl [12/30] xfs: fix unit conversion error in xfs_log_calc_max_attrsetm_res [13/30] xfs: drop compatibility minimum log size computations for reflink [14/30] xfs: don't remove the attr fork when parent pointers are enabled [15/30] xfs: Add the parent pointer support to the superblock version 5. [16/30] libfrog: add parent pointer support code [17/30] xfs_io: adapt parent command to new parent pointer ioctls [18/30] xfs_io: Add i, n and f flags to parent command [19/30] xfs_logprint: decode parent pointers in ATTRI items fully [20/30] xfs_spaceman: report file paths [21/30] xfs_scrub: use parent pointers when possible to report file operations [22/30] xfs_db: report parent bit on xattrs [23/30] xfs_db: report parent pointers embedded in xattrs [24/30] xfs_db: obfuscate dirent and parent pointer names consistently [25/30] libxfs: export attr3_leaf_hdr_from_disk via libxfs_api_defs.h [26/30] xfs_db: add a parents command to list the parents of a file [27/30] libxfs: create new files with attr forks if necessary [28/30] xfsprogs: Fix default superblock attr bits [29/30] mkfs: Add parent pointers during protofile creation [30/30] mkfs: enable formatting with parent pointers

diff --git a/db/metadump.c b/db/metadump.c index d9a616a9296..9b036c7b5db 100644 --- a/db/metadump.c +++ b/db/metadump.c @@ -21,6 +21,14 @@ #include "dir2.h" #include "obfuscate.h" +#undef REMAP_DEBUG + +#ifdef REMAP_DEBUG +# define remap_debug printf +#else +# define remap_debug(...) ((void)0) +#endif + #define DEFAULT_MAX_EXT_SIZE XFS_MAX_BMBT_EXTLEN /* copy all metadata structures to/from a file */ @@ -737,6 +745,111 @@ nametable_add(xfs_dahash_t hash, int namelen, unsigned char *name) return ent; } +/* + * Obfuscated name remapping table for parent pointer-enabled filesystems. + * When this feature is enabled, we have to maintain consistency between the + * names that appears in the dirent and the corresponding parent pointer. + */ + +struct remap_ent { + struct remap_ent *next; + xfs_ino_t dir_ino; + xfs_dahash_t namehash; + uint8_t namelen; + + uint8_t names[]; +}; + +static inline uint8_t *remap_ent_before(struct remap_ent *ent) +{ + return &ent->names[0]; +} + +static inline uint8_t *remap_ent_after(struct remap_ent *ent) +{ + return &ent->names[ent->namelen]; +} + +#define REMAP_TABLE_SIZE 4096 + +static struct remap_ent *remaptable[REMAP_TABLE_SIZE]; + +static void +remaptable_clear(void) +{ + int i; + struct remap_ent *ent, *next; + + for (i = 0; i < REMAP_TABLE_SIZE; i++) { + ent = remaptable[i]; + + while (ent) { + next = ent->next; + free(ent); + ent = next; + } + } +} + +/* Try to find a remapping table entry. */ +static struct remap_ent * +remaptable_find( + xfs_ino_t dir_ino, + xfs_dahash_t namehash, + const unsigned char *name, + unsigned int namelen) +{ + struct remap_ent *ent = remaptable[namehash % REMAP_TABLE_SIZE]; + + remap_debug("REMAP FIND: 0x%lx hash 0x%x '%.*s'\n", + dir_ino, namehash, namelen, name); + + while (ent) { + remap_debug("REMAP ENT: 0x%lx hash 0x%x '%.*s'\n", + ent->dir_ino, ent->namehash, ent->namelen, + remap_ent_before(ent)); + + if (ent->dir_ino == dir_ino && + ent->namehash == namehash && + ent->namelen == namelen && + !memcmp(remap_ent_before(ent), name, namelen)) + return ent; + ent = ent->next; + } + + return NULL; +} + +/* Remember the remapping for a particular dirent that we obfuscated. */ +static struct remap_ent * +remaptable_add( + xfs_ino_t dir_ino, + xfs_dahash_t namehash, + const unsigned char *old_name, + unsigned int namelen, + const unsigned char *new_name) +{ + struct remap_ent *ent; + + ent = malloc(sizeof(struct remap_ent) + (namelen * 2)); + if (!ent) + return NULL; + + ent->dir_ino = dir_ino; + ent->namehash = namehash; + ent->namelen = namelen; + memcpy(remap_ent_before(ent), old_name, namelen); + memcpy(remap_ent_after(ent), new_name, namelen); + ent->next = remaptable[namehash % REMAP_TABLE_SIZE]; + + remaptable[namehash % REMAP_TABLE_SIZE] = ent; + + remap_debug("REMAP ADD: 0x%lx hash 0x%x '%.*s' -> '%.*s'\n", + dir_ino, namehash, namelen, old_name, namelen, + new_name); + return ent; +} + #define ORPHANAGE "lost+found" #define ORPHANAGE_LEN (sizeof (ORPHANAGE) - 1) @@ -861,6 +974,7 @@ generate_obfuscated_name( int namelen, unsigned char *name) { + unsigned char *old_name = NULL; xfs_dahash_t hash; /* @@ -882,8 +996,33 @@ generate_obfuscated_name( name++; /* Obfuscate the name (if possible) */ - hash = dirattr_hashname(ino != 0, name, namelen); + + /* + * If we're obfuscating a dirent name on a pptrs filesystem, see if we + * already processed the parent pointer and use the same name. + */ + if (xfs_has_parent(mp) && ino) { + struct remap_ent *remap; + + remap = remaptable_find(cur_ino, hash, name, namelen); + if (remap) { + remap_debug("found obfuscated dir 0x%lx '%.*s' -> 0x%lx -> '%.*s' \n", + cur_ino, namelen, + remap_ent_before(remap), ino, namelen, + remap_ent_after(remap)); + memcpy(name, remap_ent_after(remap), namelen); + return; + } + + /* + * If we haven't procesed this dirent name before, save the + * old name for a remap table entry. Obfuscate the name. + */ + old_name = alloca(namelen); + memcpy(old_name, name, namelen); + } + obfuscate_name(hash, namelen, name, ino != 0); ASSERT(hash == dirattr_hashname(ino != 0, name, namelen)); @@ -908,6 +1047,23 @@ generate_obfuscated_name( "in dir inode %llu\n", (unsigned long long) ino, (unsigned long long) cur_ino); + + /* + * We've obfuscated a name in the directory entry. Remember this + * remapping for when we come across the parent pointer later. + */ + if (!old_name) + return; + + remap_debug("obfuscating dir 0x%lx '%.*s' -> 0x%lx -> '%.*s' \n", + cur_ino, namelen, old_name, ino, namelen, + name); + + if (!remaptable_add(cur_ino, hash, old_name, namelen, name)) + print_warning("unable to record remapped dirent name for inode %llu " + "in dir inode %llu\n", + (unsigned long long) ino, + (unsigned long long) cur_ino); } static void @@ -1041,6 +1197,123 @@ process_sf_symlink( memset(&buf[len], 0, XFS_DFORK_DSIZE(dip, mp) - len); } +static inline bool +want_obfuscate_pptr( + unsigned int nsp_flags, + const void *name, + unsigned int namelen, + const void *value, + unsigned int valuelen) +{ + if (!obfuscate) + return false; + + /* Ignore if parent pointers aren't enabled. */ + if (!xfs_has_parent(mp)) + return false; + + /* Ignore anything not claiming to be a parent pointer. */ + if (!(nsp_flags & XFS_ATTR_PARENT)) + return false; + + /* Obfuscate this parent pointer if it passes basic checks. */ + if (libxfs_parent_namecheck(mp, name, namelen, nsp_flags) && + libxfs_parent_valuecheck(mp, value, valuelen)) + return true; + + /* Ignore otherwise. */ + return false; +} + +static void +obfuscate_parent_pointer( + const struct xfs_parent_name_rec *rec, + unsigned char *value, + unsigned int valuelen) +{ + struct xfs_parent_name_irec irec; + struct remap_ent *remap; + char *old_name = irec.p_name; + xfs_dahash_t hash; + xfs_ino_t child_ino = cur_ino; + + libxfs_parent_irec_from_disk(&irec, rec, value, valuelen); + + /* + * We don't obfuscate "lost+found" or any orphan files + * therein. If When the name table is used for extended + * attributes, the inode number provided is 0, in which + * case we don't need to make this check. + */ + cur_ino = irec.p_ino; + if (in_lost_found(child_ino, valuelen, value)) { + cur_ino = child_ino; + return; + } + cur_ino = child_ino; + + /* + * If the name starts with a slash, just skip over it. It isn't + * included in the hash and we don't record it in the name table. + */ + if (*value == '/') { + old_name++; + value++; + valuelen--; + } + + hash = libxfs_da_hashname(value, valuelen); + + /* + * If we already processed the dirent, use the same name for the parent + * pointer. + */ + remap = remaptable_find(irec.p_ino, hash, value, valuelen); + if (remap) { + remap_debug("found obfuscated pptr 0x%lx '%.*s' -> 0x%lx -> '%.*s' \n", + irec.p_ino, valuelen, remap_ent_before(remap), + cur_ino, valuelen, remap_ent_after(remap)); + memcpy(value, remap_ent_after(remap), valuelen); + return; + } + + /* + * Obfuscate the parent pointer name and remember this for later + * in case we encounter the dirent and need to reuse the name there. + */ + obfuscate_name(hash, valuelen, value, true); + + remap_debug("obfuscated pptr 0x%lx '%.*s' -> 0x%lx -> '%.*s'\n", + irec.p_ino, valuelen, old_name, cur_ino, valuelen, + value); + if (!remaptable_add(irec.p_ino, hash, old_name, valuelen, value)) + print_warning("unable to record remapped pptr name for inode %llu " + "in dir inode %llu\n", + (unsigned long long) cur_ino, + (unsigned long long) irec.p_ino); +} + +static inline bool +want_obfuscate_attr( + unsigned int nsp_flags, + const void *name, + unsigned int namelen, + const void *value, + unsigned int valuelen) +{ + if (!obfuscate) + return false; + + /* + * If we didn't already obfuscate the parent pointer, it's probably + * corrupt. Leave it intact for analysis. + */ + if (nsp_flags & XFS_ATTR_PARENT) + return false; + + return true; +} + static void process_sf_attr( struct xfs_dinode *dip) @@ -1070,7 +1343,7 @@ process_sf_attr( asfep = &asfp->list[0]; for (i = 0; (i < asfp->hdr.count) && ((char *)asfep - (char *)asfp < ino_attr_size); i++) { - + void *name, *value; int namelen = asfep->namelen; if (namelen == 0) { @@ -1086,11 +1359,16 @@ process_sf_attr( break; } - if (obfuscate) { - generate_obfuscated_name(0, asfep->namelen, - &asfep->nameval[0]); - memset(&asfep->nameval[asfep->namelen], 'v', - asfep->valuelen); + name = &asfep->nameval[0]; + value = &asfep->nameval[asfep->namelen]; + + if (want_obfuscate_pptr(asfep->flags, name, namelen, value, + asfep->valuelen)) { + obfuscate_parent_pointer(name, value, asfep->valuelen); + } else if (want_obfuscate_attr(asfep->flags, name, namelen, + value, asfep->valuelen)) { + generate_obfuscated_name(0, asfep->namelen, name); + memset(value, 'v', asfep->valuelen); } asfep = (struct xfs_attr_sf_entry *)((char *)asfep + @@ -1457,6 +1735,9 @@ process_attr_block( break; } if (entry->flags & XFS_ATTR_LOCAL) { + void *name, *value; + unsigned int valuelen; + local = xfs_attr3_leaf_name_local(leaf, i); if (local->namelen == 0) { if (show_warnings) @@ -1465,11 +1746,21 @@ process_attr_block( (long long)cur_ino); break; } - if (obfuscate) { + + name = &local->nameval[0]; + value = &local->nameval[local->namelen]; + valuelen = be16_to_cpu(local->valuelen); + + if (want_obfuscate_pptr(entry->flags, name, + local->namelen, value, + valuelen)) { + obfuscate_parent_pointer(name, value, valuelen); + } else if (want_obfuscate_attr(entry->flags, name, + local->namelen, value, + valuelen)) { generate_obfuscated_name(0, local->namelen, - &local->nameval[0]); - memset(&local->nameval[local->namelen], 'v', - be16_to_cpu(local->valuelen)); + name); + memset(value, 'v', valuelen); } /* zero from end of nameval[] to next name start */ nlen = local->namelen; @@ -2846,6 +3137,7 @@ metadump_f( pop_cur(); out: free(metablock); + remaptable_clear(); return 0; } diff --git a/libxfs/libxfs_api_defs.h b/libxfs/libxfs_api_defs.h index 70db72b0a37..7779040f0ba 100644 --- a/libxfs/libxfs_api_defs.h +++ b/libxfs/libxfs_api_defs.h @@ -178,6 +178,8 @@ #define xfs_parent_finish libxfs_parent_finish #define xfs_parent_irec_from_disk libxfs_parent_irec_from_disk #define xfs_parent_start libxfs_parent_start +#define xfs_parent_namecheck libxfs_parent_namecheck +#define xfs_parent_valuecheck libxfs_parent_valuecheck #define xfs_perag_get libxfs_perag_get #define xfs_perag_put libxfs_perag_put #define xfs_prealloc_blocks libxfs_prealloc_blocks

[24/30] xfs_db: obfuscate dirent and parent pointer names consistently

Commit Message

Patch