lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1200510717.4561.11.camel@ext1.frec.bull.fr>
Date:	Wed, 16 Jan 2008 20:11:57 +0100
From:	Valerie Clement <valerie.clement@...l.net>
To:	linux-ext4 <linux-ext4@...r.kernel.org>
Cc:	cmm@...ibm.com
Subject: [PATCH] Fix oops in mballoc caused by a variable overflow

A simple dd oopses the kernel (2.6.24-rc7 with the latest patch queue):
  dd if=/dev/zero of=/mnt/test/foo bs=1M count=8096

EXT4-fs: mballoc enabled
------------[ cut here ]------------
kernel BUG at fs/ext4/mballoc.c:3148!

The BUG_ON is:
	BUG_ON(size <= 0 || size >= EXT4_BLOCKS_PER_GROUP(ac->ac_sb));

where the value of "size" is 4293920768.

This is due to the overflow of the variable "start" in the 
ext4_mb_normalize_request() function.
The patch below fixes it.

Signed-off-by: Valerie Clement <valerie.clement@...l.net>
---

 mballoc.c |   23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)


Index: linux-2.6.24-rc7/fs/ext4/mballoc.c
===================================================================
--- linux-2.6.24-rc7.orig/fs/ext4/mballoc.c	2008-01-16 19:22:45.000000000 +0100
+++ linux-2.6.24-rc7/fs/ext4/mballoc.c	2008-01-16 19:25:04.000000000 +0100
@@ -2990,6 +2990,7 @@ static void ext4_mb_normalize_request(st
 	struct list_head *cur;
 	loff_t size, orig_size;
 	ext4_lblk_t start, orig_start;
+	ext4_fsblk_t pstart;
 	struct ext4_inode_info *ei = EXT4_I(ac->ac_inode);
 
 	/* do normalize only data requests, metadata requests
@@ -3029,7 +3030,7 @@ static void ext4_mb_normalize_request(st
 
 	/* first, try to predict filesize */
 	/* XXX: should this table be tunable? */
-	start = 0;
+	pstart = 0;
 	if (size <= 16 * 1024) {
 		size = 16 * 1024;
 	} else if (size <= 32 * 1024) {
@@ -3045,25 +3046,25 @@ static void ext4_mb_normalize_request(st
 	} else if (size <= 1024 * 1024) {
 		size = 1024 * 1024;
 	} else if (NRL_CHECK_SIZE(size, 4 * 1024 * 1024, max, bsbits)) {
-		start = ac->ac_o_ex.fe_logical << bsbits;
-		start = (start / (1024 * 1024)) * (1024 * 1024);
+		pstart = ac->ac_o_ex.fe_logical << bsbits;
+		pstart = (pstart / (1024 * 1024)) * (1024 * 1024);
 		size = 1024 * 1024;
 	} else if (NRL_CHECK_SIZE(size, 8 * 1024 * 1024, max, bsbits)) {
-		start = ac->ac_o_ex.fe_logical << bsbits;
-		start = (start / (4 * (1024 * 1024))) * 4 * (1024 * 1024);
+		pstart = ac->ac_o_ex.fe_logical << bsbits;
+		pstart = (pstart / (4 * (1024 * 1024))) * 4 * (1024 * 1024);
 		size = 4 * 1024 * 1024;
 	} else if(NRL_CHECK_SIZE(ac->ac_o_ex.fe_len,(8<<20)>>bsbits,max,bsbits)){
-		start = ac->ac_o_ex.fe_logical;
-		start = start << bsbits;
-		start = (start / (8 * (1024 * 1024))) * 8 * (1024 * 1024);
+		pstart = ac->ac_o_ex.fe_logical;
+		pstart = pstart << bsbits;
+		pstart = (pstart / (8 * (1024 * 1024))) * 8 * (1024 * 1024);
 		size = 8 * 1024 * 1024;
 	} else {
-		start = ac->ac_o_ex.fe_logical;
-		start = start << bsbits;
+		pstart = ac->ac_o_ex.fe_logical;
+		pstart = pstart << bsbits;
 		size = ac->ac_o_ex.fe_len << bsbits;
 	}
 	orig_size = size = size >> bsbits;
-	orig_start = start = start >> bsbits;
+	orig_start = start = pstart >> bsbits;
 
 	/* don't cover already allocated blocks in selected range */
 	if (ar->pleft && start <= ar->lleft) {


-
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ