| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20100628114256.0c633779.toshi.okajima@jp.fujitsu.com>
Date: Mon, 28 Jun 2010 11:42:56 +0900
From: Toshiyuki Okajima <toshi.okajima@...fujitsu.com>
To: tytso@....edu, adilger@....com
Cc: linux-ext4@...r.kernel.org, toshi.okajima@...fujitsu.com
Subject: [PATCH][BUG] ext4: do not execute ext4_std_error with EFBIG at
ext4_setattr
From: Toshiyuki Okajima <toshi.okajima@...fujitsu.com>
You know, do_truncate() can call ext4_setattr() (via notify_change()).
And, ext4_setattr() can return with -EFBIG if the argument(length) of
do_truncate() is more than sbi->s_bitmap_maxbytes. At that time,
it also calls ext4_std_error() with -EFBIG.
Besides, a panic happens when ext4_setattr() returns with -EFBIG
after we mount an ext4 filesystem with errors=panic.
The following steps can make this problem easily.
(1)
# /bin/dd if=/dev/zero of=/tmp/img bs=1k seek=1000k count=1
# /sbin/mkfs.ext3 -Fq /tmp/img
# /bin/mount -o loop -t ext4 /tmp/img /mnt
# /bin/dd if=/dev/zero of=/mnt/file bs=1k seek=2143281137 count=1
# /bin/dmesg
...
EXT4-fs error (device loop0) in ext4_setattr: error 27
(2)
# /bin/dd if=/dev/zero of=/tmp/img bs=1k seek=1000k count=1
# /sbin/mkfs.ext3 -Fq /tmp/img
# /bin/mount -o loop,errors=panic -t ext4 /tmp/img /mnt
# /bin/dd if=/dev/zero of=/mnt/file bs=1k seek=2143281137 count=1
(PANIC!)
This problem is in:
5482 if (attr->ia_valid & ATTR_SIZE) {
5483 if (!(ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))) {
5484 struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
5485
5486 if (attr->ia_size > sbi->s_bitmap_maxbytes) {
5487 error = -EFBIG;
5488 goto err_out;
5489 }
5490 }
5491 }
5543 err_out:
5544 ext4_std_error(inode->i_sb, error);
5545 if (!error)
5546 error = rc;
5547 return error;
(because ext4_setattr() calls ext4_std_error() when error == -EFBIG)
So, we change those into:
5482 if (attr->ia_valid & ATTR_SIZE) {
5483 if (!(ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))) {
5484 struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
5485
5486 if (attr->ia_size > sbi->s_bitmap_maxbytes) {
5487 error = -EFBIG;
* 5488 goto err_out2;
5489 }
5490 }
5491 }
5543 err_out:
5544 ext4_std_error(inode->i_sb, error);
5545 if (!error)
5546 error = rc;
* 5547 err_out2:
5548 return error;
This changes prevent this problem from happening.
Signed-off-by: Toshiyuki Okajima <toshi.okajima@...fujitsu.com>
---
fs/ext4/inode.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 42272d6..e87bb45 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5485,7 +5485,7 @@ int ext4_setattr(struct dentry *dentry, struct iattr *attr)
if (attr->ia_size > sbi->s_bitmap_maxbytes) {
error = -EFBIG;
- goto err_out;
+ goto err_out2;
}
}
}
@@ -5544,6 +5544,7 @@ err_out:
ext4_std_error(inode->i_sb, error);
if (!error)
error = rc;
+err_out2:
return error;
}
--
1.5.5.6
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists