lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:	Thu, 14 May 2015 19:12:42 -0400
From:	Theodore Ts'o <>
To:	Jan Kara <>
Cc:	"Darrick J. Wong" <>,
Subject: Re: [PATCH v2] jbd2: fix r_count overflows leading to buffer
 overflow in journal recovery

On Thu, May 14, 2015 at 10:48:26PM +0200, Jan Kara wrote:
> On Thu 14-05-15 12:34:24, Darrick J. Wong wrote:
> > The journal revoke block recovery code does not check r_count for
> > sanity, which means that an evil value of r_count could result in
> > the kernel reading off the end of the revoke table and into whatever
> > garbage lies beyond.  This could crash the kernel, so fix that.
> > 
> > However, in testing this fix, I discovered that the code to write
> > out the revoke tables also was not correctly checking to see if the
> > block was full -- the current offset check is fine so long as the
> > revoke table space size is a multiple of the record size, but this
> > is not true when either journal_csum_v[23] are set.
> > 
> > v2: The comparison on the revoke block writer code should allow the
> > revoke block to become totally full.
> > 
> > Signed-off-by: Darrick J. Wong <>
>   Looks good. You can add:
> Reviewed-by: Jan Kara <>

Thanks, applied.

					- Ted
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists