| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20090105170259.GB8939@mit.edu> Date: Mon, 5 Jan 2009 12:02:59 -0500 From: Theodore Tso <tytso@....edu> To: Thiemo Nagel <thiemo.nagel@...tum.de> Cc: Ext4 Developers List <linux-ext4@...r.kernel.org> Subject: Re: [PATCH] ext4: fix null pointer deref on mount On Mon, Jan 05, 2009 at 02:19:55AM +0100, Thiemo Nagel wrote: > I came across a null pointer dereference when mounting an intentionally > corrupted filesystem (cf. debug.dmesg). In my opinion, the problem lies > in ext4_fill_super(), where truncation may occur on setting the integer > db_count, which results in too little memory being allocated for > sbi->s_group_desc. The attached patch (against 2.6.28) fixes this by > changing the type of db_count to unsigned long. I also took the > opportunity to make the check against sign extension in calculation of > db_count more strict, so that it now excludes cases in which db_count > comes out as zero. Usigned unsigned long is almost always wrong, because it's not a fixed size; it's 32 bits on x86_32, but 64 bits on x86_64. In this particular case, db_count is always going to well under 32-bits for any legitimate filesystem. If it isn't we need to have better checks; it sounds like the checks we need are ones that do a better job checking s_blocks_per_group; am I right in assuming that s_blocks_per_group was something ridiculous and that is what caused the overflow? - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists