lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 30 Jan 2008 15:17:57 -0800
From:	Mingming Cao <cmm@...ibm.com>
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	Eric Sandeen <sandeen@....com>,
	"linux-ext4@...r.kernel.org" <linux-ext4@...r.kernel.org>,
	Girish Shilamkar <girish@...sterfs.com>, snakebyte@....de
Subject: Re: Fw: [Bugme-new] [Bug 9849] New: NULL pointer deref in
	journal_wait_on_commit_record

On Wed, 2008-01-30 at 12:00 -0800, Andrew Morton wrote:
> 
> Begin forwarded message:
> 
> Date: Wed, 30 Jan 2008 03:24:08 -0800 (PST)
> From: bugme-daemon@...zilla.kernel.org
> To: bugme-new@...ts.osdl.org
> Subject: [Bugme-new] [Bug 9849] New: NULL pointer deref in journal_wait_on_commit_record
> 
> 
> http://bugzilla.kernel.org/show_bug.cgi?id=9849
> 
>            Summary: NULL pointer deref in journal_wait_on_commit_record
>            Product: File System
>            Version: 2.5
>      KernelVersion: 2.6.24-03997-g85004cc
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: ext4
>         AssignedTo: fs_ext4@...nel-bugs.osdl.org
>         ReportedBy: snakebyte@....de
> 
> 
> Latest working kernel version: -
> Earliest failing kernel version: 2.6.24-03863-g0ba6c33
> Distribution: Ubuntu
> Problem Description:
> 
> using a corrupted image causes an oops in unmount, seems as if
> journal_wait_on_commit_record() gets passed a NULL pointer
> 

The buufer head pointer passed to journal_wait_on_commit_record() could
be NULL if the previous journal_submit_commit_record() failed or journal
has already aborted.

Looking at the jbd2 debug messages, before the oops happen, the jbd2 is
aborted due to trying to access the next log block beyond the end of
device. This might be caused by using a corrupted image.

We need to check the error returns from journal_submit_commit_record()
and avoid calling journal_wait_on_commit_record() in the failure case.

Signed-off-by: Mingming Cao <cmm@...ibm.com>
The buufer head pointer passed to journal_wait_on_commit_record()
could be NULL if the previous journal_submit_commit_record() failed
or journal has already aborted.

We need to check the error returns from journal_submit_commit_record()
and avoid calling journal_wait_on_commit_record() in the failure case.

Signed-off-by: Mingming Cao <cmm@...ibm.com>
---
 fs/jbd2/commit.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Index: linux-2.6.24-rc8/fs/jbd2/commit.c
===================================================================
--- linux-2.6.24-rc8.orig/fs/jbd2/commit.c	2008-01-30 14:12:10.000000000 -0800
+++ linux-2.6.24-rc8/fs/jbd2/commit.c	2008-01-30 15:09:50.000000000 -0800
@@ -872,7 +872,8 @@ wait_for_iobuf:
 		if (err)
 			__jbd2_journal_abort_hard(journal);
 	}
-	err = journal_wait_on_commit_record(cbh);
+	if (!err && !is_journal_aborted(journal))
+		err = journal_wait_on_commit_record(cbh);
 
 	if (err)
 		jbd2_journal_abort(journal, err);


-
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists