[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070711174347.GD19456@thunk.org>
Date: Wed, 11 Jul 2007 13:43:47 -0400
From: Theodore Tso <tytso@....edu>
To: Andreas Dilger <adilger@...sterfs.com>
Cc: Kalpak Shah <kalpak@...sterfs.com>,
linux-ext4 <linux-ext4@...r.kernel.org>
Subject: Re: Random corruption test for e2fsck
On Wed, Jul 11, 2007 at 03:44:11AM -0600, Andreas Dilger wrote:
> I've already found some kind of memory corruption in e2fsck as a result
> of running this as a regular user. It segfaults in qsort() when freeing
> memory. The image that causes this problem is attached, and it happens
> with the unpatched 1.39-WIP Mercurial tree of 2007-05-22. Unfortunately,
> I don't have any decent memory debugging tools handy, so it isn't easy to
> see what is happening. This is on an FC3 i686 system, in case it matters.
Thanks for sending me the test case! Here's the patch, which will
probably cause me to do a 1.40.2 release sooner rather than later...
- Ted
commit 5e9ba85c2694926eb784531d81ba107200cf1a51
Author: Theodore Ts'o <tytso@....edu>
Date: Wed Jul 11 13:42:43 2007 -0400
Fix e2fsck segfault on very badly damaged filesystems
A recent change to e2fsck_add_dir_info() to use tdb files to check
filesystems with a very large number of filesystems had a typo which
caused us to resize the wrong data structure. This would cause a
array overrun leading to malloc pointer corruptions. Since we
normally can very accurately predict how big the the dirinfo array
needs to be, this bug only got triggered on very badly corrupted
filesystems.
Thanks to Andreas Dilger for submitting the test case which discovered
this problem, and to Kalpak Shah for writing a random testing script
which created the test case.
Signed-off-by: "Theodore Ts'o" <tytso@....edu>
diff --git a/e2fsck/dirinfo.c b/e2fsck/dirinfo.c
index aaa4d09..f583c62 100644
--- a/e2fsck/dirinfo.c
+++ b/e2fsck/dirinfo.c
@@ -126,7 +126,7 @@ void e2fsck_add_dir_info(e2fsck_t ctx, ext2_ino_t ino, ext2_ino_t parent)
ctx->dir_info->size += 10;
retval = ext2fs_resize_mem(old_size, ctx->dir_info->size *
sizeof(struct dir_info),
- &ctx->dir_info);
+ &ctx->dir_info->array);
if (retval) {
ctx->dir_info->size -= 10;
return;
-
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists