lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 17 Dec 2008 16:58:12 +0800
From:	Miao Xie <miaox@...fujitsu.com>
To:	tytso@....edu
CC:	linux-ext4@...r.kernel.org
Subject: [PATCH] [e2fsprogs] e2fsck: fix segmentation fault when block size
 is greater than 8192

When I did fsck a filesystem with large blocksize(greater than 8192),
segmentation fault occured. The cause is the size of b_data array that is
defined as a fixed size in buffer_head structure.
  (File: e2fsck/jfs_user.h)
  struct buffer_head {
	char		b_data[8192];
	e2fsck_t	b_ctx;
	io_channel	b_io;
	int		b_size;
	blk_t		b_blocknr;
	int		b_dirty;
	int		b_uptodate;
	int		b_err;
  };

It is unreasonable, because if the blocksize is greater than 8192, b_data will
overflow and the other variable would be changed, then if we touch those
variable, segmentation fault occurs.

This patch fixes this bug.

Signed-off-by: Miao Xie <miaox@...fujitsu.com>

---
 e2fsck/jfs_user.h |    2 +-
 e2fsck/journal.c  |    8 ++++++++
 2 files changed, 9 insertions(+), 1 deletions(-)

diff --git a/e2fsck/jfs_user.h b/e2fsck/jfs_user.h
index 0e4f951..f042218 100644
--- a/e2fsck/jfs_user.h
+++ b/e2fsck/jfs_user.h
@@ -15,7 +15,7 @@
 #include "e2fsck.h"
 
 struct buffer_head {
-	char		b_data[8192];
+	char *		b_data;
 	e2fsck_t	b_ctx;
 	io_channel 	b_io;
 	int	 	b_size;
diff --git a/e2fsck/journal.c b/e2fsck/journal.c
index 10f5095..ca7a4c3 100644
--- a/e2fsck/journal.c
+++ b/e2fsck/journal.c
@@ -73,6 +73,12 @@ struct buffer_head *getblk(kdev_t kdev, blk_t blocknr, int blocksize)
 	if (!bh)
 		return NULL;
 
+	bh->b_data = e2fsck_allocate_memory(kdev->k_ctx, blocksize,
+						"block buffer b_data");
+	if (!bh->b_data) {
+		ext2fs_free_mem(&bh);
+		return NULL;
+	}
 #ifdef CONFIG_JBD_DEBUG
 	if (journal_enable_debug >= 3)
 		bh_count++;
@@ -163,6 +169,8 @@ void brelse(struct buffer_head *bh)
 		ll_rw_block(WRITE, 1, &bh);
 	jfs_debug(3, "freeing block %lu/%p (total %d)\n",
 		  (unsigned long) bh->b_blocknr, (void *) bh, --bh_count);
+	if (bh->b_data)
+		ext2fs_free_mem(&bh->b_data);
 	ext2fs_free_mem(&bh);
 }
 
-- 
1.5.4.rc3

--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ