| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Mar 2012 15:23:25 -0700 From: "Darrick J. Wong" <djwong@...ibm.com> To: "Ted Ts'o" <tytso@....edu> Cc: Andreas Dilger <adilger.kernel@...ger.ca>, Sunil Mushran <sunil.mushran@...cle.com>, Amir Goldstein <amir73il@...il.com>, Andi Kleen <andi@...stfloor.org>, Mingming Cao <cmm@...ibm.com>, Joel Becker <jlbec@...lplan.org>, linux-ext4@...r.kernel.org, Coly Li <colyli@...il.com> Subject: Re: [PATCH 01/54] libext2fs: Read and write full size inodes On Fri, Mar 09, 2012 at 06:36:31PM -0500, Ted Ts'o wrote: > On Tue, Mar 06, 2012 at 03:57:27PM -0800, Darrick J. Wong wrote: > > Change libext2fs to read and write full-size inodes in preparation for the > > metadata checksumming patchset, which will require this. Due to ABI > > compatibility requirements, this change must be hidden from client programs. > > > > Signed-off-by: Darrick J. Wong <djwong@...ibm.com> > > After applying this first patch, the e2fsprogs regression test suite > blew up spectacularly caused by the malloc-managed free lists pointers > getting corrupted: > > *** glibc detected *** /usr/projects/e2fsprogs/e2fsprogs/build/debugfs/debugfs: free(): invalid next size (fast): 0x000000000063f9d0 *** > ======= Backtrace: ========= > /lib/libc.so.6(+0x77806)[0x7ffff6e4a806] > /lib/libc.so.6(cfree+0x73)[0x7ffff6e510d3] > /usr/projects/e2fsprogs/e2fsprogs/build/lib/libext2fs.so.2(ext2fs_free_mem+0x30)[0x7ffff7bb562f] > > > Interestingly, valgrind was *not* useful in finding the problem; > apparently it was getting confused by the ext2fs_get_mem() > abstraction, which is unfortunate. I'll have to look into that at > some point. > > Anyway, the problem was in ext2fs_write_inode_full(), and it could be > replicated by simply writing to an inode, i.e. > > mke2fs -F -O resize_inode -o Linux -b 1024 /tmp/image 16384 > debugfs -w -R "set_inode_field <7> mtime now" /tmp/image > > is enough to trigger it. The problem is with a 128 byte ext2 file > system, ext2fs_write_inode_full() is passed a large inode and so > bufsize is 156, but EXT2_INODE_SIZE(fs->super) is 128. So at > lib/ext2fs/inode.c:698: > > memcpy(w_inode, inode, bufsize); > > you end up writing 156 bytes into a memory buffer that was allocated > to a size of 128 bytes. Hilarity ensues. > > The fix is relatively simple: > > memcpy(w_inode, inode, (bufsize > length) ? length : bufsize); > > Anyway, this is *why* running the regression tests are important. > (And why projects which don't have regression test suites are just > asking for trouble.) > > They catch all sorts of interesting oversights like this.... Hmm, good catch. To be honest I wasn't aware that there /was/ a make check. I'll contribute my checksum tests when I figure out how to integrate them. I'll send out patches to fix the other 45 failures this afternoon; I traced most of them to a mistake I made in e2fsck/rehash.c. --D -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists