lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 19 Mar 2008 21:19:19 -0500
From:	Eric Sandeen <sandeen@...hat.com>
To:	Dmitri Monakhov <dmonakhov@...nvz.org>
CC:	Solofo.Ramangalahy@...l.net, linux-ext4@...r.kernel.org
Subject: Re: [2.6.25-rc5-ext4-36c86] attempt to access beyond end of device

Dmitri Monakhov wrote:
> On 10:49 Tue 18 Mar     , Solofo.Ramangalahy@...l.net wrote:
> Content-Description: message body and .signature
>> Hello,
>>
>> During stress testing (workload: racer from ltp + fio/iometer), here
>> is an error I am encountering:
> Confirm this issue happens after ~30secs of ltp fsstress.
> 
> This happens because of error in ext4_get_block()
> ext4_get_block()
> { 
> ...
> 	ret = ext4_get_blocks_wrap(handle, inode, iblock,
>                                         max_blocks, bh_result, create, 0);
>         if (ret > 0) {
>                 r2 = ret;
>                 bh_result->b_size = (ret << inode->i_blkbits);
> # Setting b_size, if ret > 1 then bh_result is broken because
> #  b_size must always be equal to FS logical block size(1<<inode->i_blkbits)

I don't think that's quite right.

this bh is a dummy bh, right, which just gives us info on the mapping.

static int ext4_get_block(struct inode *inode, sector_t iblock,
                        struct buffer_head *bh_result, int create)
{
        handle_t *handle = ext4_journal_current_handle();
        int ret = 0, started = 0;
        unsigned max_blocks = bh_result->b_size >> inode->i_blkbits;

for starters, ext3 does exactly the same thing.

Also look for example at get_more_blocks():

                map_bh->b_state = 0;
                map_bh->b_size = fs_count << dio->inode->i_blkbits;
...
                ret = (*dio->get_block)(dio->inode, fs_startblk,
                                                map_bh, create);

or do_mpage_readpage():

        nblocks = map_bh->b_size >> blkbits;

....

                if (block_in_file < last_block) {
                        map_bh->b_size = (last_block-block_in_file) <<
blkbits;
                        if (get_block(inode, block_in_file, map_bh, 0))
                                goto confused;
                        *first_logical_block = block_in_file;
                }

the bh->b_size can be more than a block; in this case it's not a problem.

maybe some buffer tracing would be in order?

-Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ