lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070711174347.GD19456@thunk.org>
Date:	Wed, 11 Jul 2007 13:43:47 -0400
From:	Theodore Tso <tytso@....edu>
To:	Andreas Dilger <adilger@...sterfs.com>
Cc:	Kalpak Shah <kalpak@...sterfs.com>,
	linux-ext4 <linux-ext4@...r.kernel.org>
Subject: Re: Random corruption test for e2fsck

On Wed, Jul 11, 2007 at 03:44:11AM -0600, Andreas Dilger wrote:
> I've already found some kind of memory corruption in e2fsck as a result
> of running this as a regular user.  It segfaults in qsort() when freeing
> memory.  The image that causes this problem is attached, and it happens
> with the unpatched 1.39-WIP Mercurial tree of 2007-05-22.  Unfortunately,
> I don't have any decent memory debugging tools handy, so it isn't easy to
> see what is happening.  This is on an FC3 i686 system, in case it matters.

Thanks for sending me the test case!  Here's the patch, which will
probably cause me to do a 1.40.2 release sooner rather than later...

						- Ted

commit 5e9ba85c2694926eb784531d81ba107200cf1a51
Author: Theodore Ts'o <tytso@....edu>
Date:   Wed Jul 11 13:42:43 2007 -0400

    Fix e2fsck segfault on very badly damaged filesystems
    
    A recent change to e2fsck_add_dir_info() to use tdb files to check
    filesystems with a very large number of filesystems had a typo which
    caused us to resize the wrong data structure.  This would cause a
    array overrun leading to malloc pointer corruptions.  Since we
    normally can very accurately predict how big the the dirinfo array
    needs to be, this bug only got triggered on very badly corrupted
    filesystems.
    
    Thanks to Andreas Dilger for submitting the test case which discovered
    this problem, and to Kalpak Shah for writing a random testing script
    which created the test case.
    
    Signed-off-by: "Theodore Ts'o" <tytso@....edu>

diff --git a/e2fsck/dirinfo.c b/e2fsck/dirinfo.c
index aaa4d09..f583c62 100644
--- a/e2fsck/dirinfo.c
+++ b/e2fsck/dirinfo.c
@@ -126,7 +126,7 @@ void e2fsck_add_dir_info(e2fsck_t ctx, ext2_ino_t ino, ext2_ino_t parent)
 		ctx->dir_info->size += 10;
 		retval = ext2fs_resize_mem(old_size, ctx->dir_info->size *
 					   sizeof(struct dir_info),
-					   &ctx->dir_info);
+					   &ctx->dir_info->array);
 		if (retval) {
 			ctx->dir_info->size -= 10;
 			return;
-
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ