| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <47CDA618.9040007@yahoo.es>
Date: Wed, 05 Mar 2008 03:42:16 +0800
From: Hein_Tibosch <hein_tibosch@...oo.es>
To: James Stewart <jstewart@...adici.com>
CC: linux-ext4@...r.kernel.org
Subject: Ext2 - ext3 unstable under 2.6.24: now solved (?)
Could someone please check the following?
The ext2 and ext3 filesystems of 2.6.24 show many Oops and hangups.
After debugging I found the following common cause:
In a new 2.6.24 function an unwanted sign-extension takes place in:
fs/ext2/dir.c
static inline unsigned ext2_rec_len_from_disk(__le16 dlen)
{
unsigned len = le16_to_cpu(dlen);
if (len == EXT2_MAX_REC_LEN)
return 1 << 16;
return len;
}
include/ext3_fs.h :
static inline unsigned ext3_rec_len_from_disk(__le16 dlen)
{
unsigned len = le16_to_cpu(dlen);
if (len == EXT3_MAX_REC_LEN)
return 1 << 16;
return len;
}
00A0 will be returned as 0xFFFFA000 !!
Many code which iterates through dirent's, uses the above function to
determine the start of the next dirent.(ext2_dirent, ext3_dir_entry_2)
See fs/ext2/dir.c and fs/ext3/namei.c
As a test I replaced "le16_to_cpu()" by a simple:
static inline unsigned my_le16_to_cpu (__le16 value)
{
return ((value & 0x00FF) << 8) | ((value & 0xFF00) >> 8);
}
It showed no more "negative" rec_len values which cause the crashes, and
both ext2/3 now run stable.
Compiler: gcc version 4.1.2 (Ubuntu 4.1.2-0ubuntu4)
Kernel: 2.6.24.atmel.1
Platform: Atmel AP7000 CPU, compiling with "ARCH=avr32
CROSS_COMPILE=avr32-linux-"
Hein Tibosch
Haavard Skinnemoen wrote:
> (Adding the ext2/ext3/ext4 list to Cc)
>
> Note that the MMC/SD card driver in question, atmel-mci, is not in
> mainline, and may be the real cause of this problem. But it looks like
> there might be a potential problem in the ext3 code as well?
>
> Haavard
>
> On Thu, 21 Feb 2008 14:17:04 +0800
> Hein_Tibosch <hein_tibosch@...oo.es> wrote:
>
>
>> Hi James,
>>
>>
>> I've had all kinds of problems with the SD-card hooked to an NGW100, just as John Voltz reported earlier:
>>
>> http://www.avr32linux.org/archives/kernel/2007-November/000421.html
>> http://www.avr32linux.org/archives/kernel/2007-November/000425.html
>>
>> I debugged this problem and my conclusion is: using an SD-card may lead to both BUS-errors and a complete hanging of the system, with 2.6.23.atmel.5 as well as 2.6.24.atmel.1.
>>
>> Both the driver for ext2 and ext3 are using this type of function to iterate through a array of inodes:
>>
>> static inline ext2_dirent *ext2_next_entry(ext2_dirent *p)
>> {
>> return (ext2_dirent *)((char*)p + le16_to_cpu(p->rec_len));
>> }
>>
>> static inline struct ext3_dir_entry_2 *
>> ext3_next_entry(struct ext3_dir_entry_2 *p)
>> {
>> return (struct ext3_dir_entry_2 *)((char *)p +
>> ext3_rec_len_from_disk(p->rec_len));
>> }
>>
>>
>> Sometimes, rec_len is checked for a zero-value, sometimes the entry is checked thoroughly for validity (like with ext2_check_page() or ext3_check_dir_entry()), but in other cases rec_len isn't checked at all! This is the case in e.g. fs/ext3/namei.c, function ext3_dx_find_entry(). This function is always enabled since 2.6.24 (CONFIG_EXT3_INDEX not used anymore).
>>
>> I had a card on which at one place rec_len turned out to be a small negative number. When iterating, it would either cycle for ever (until WDT) or it could enter invalid memory (OOPS: BUS error).
>>
>> ( strange though that the rec_len appeared to have a negative number, I just did a "mkfs -t ext3" on Ubuntu. Could that be caused by the Atmel-driver? )
>>
>> I don't yet feel qualified to make a patch for this, I only did it for myself. Maybe someone can pick this up: a validity check should be made before any call to xxx_next_entry().
>>
>>
>> Regards,
>>
>> Hein Tibosch (HeinBali at avr32linux)
>>
>>
>>
>> James Stewart wrote:
>> Hi,
>>
>> I'm wondering if there are any known issues with booting from SD card on the ATNGW100 using this kernel. I get a bunch of ext2 looking errors and then a stack dump immediately after mounting VFS. 2.6.23.atmel.5 runs perfectly, however.
>>
>> This is just compiling using atngw100_defconfig.
>>
>> Thanks,
>>
>> James
>>
>> ------------------------------------------------
>>
>> _______________________________________________
>> Kernel mailing list
>> Kernel@...32linux.org
>> http://duppen.flaskehals.net/cgi-bin/mailman/listinfo/kernel
>>
>>
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists