lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20171211200947.upnb5gt3vhh6pm3f@thunk.org>
Date:   Mon, 11 Dec 2017 15:09:47 -0500
From:   Theodore Ts'o <tytso@....edu>
To:     Chandan Rajendra <chandan@...ux.vnet.ibm.com>
Cc:     linux-ext4@...r.kernel.org, abdhalee@...ux.vnet.ibm.com
Subject: Re: [PATCH] ext4: Fix crash when working on a fuzzed ext2 fs image

On Thu, Dec 07, 2017 at 11:08:18AM +0530, Chandan Rajendra wrote:
> On a ppc64 machine, when mounting a fuzzed ext2 image (generated by
> fsfuzzer) the following call trace is seen,
> ...
> 
> This happens because the directory that ext4_find_entry() looks up has
> inode->i_size that is less than the block size of the filesystem. This
> causes 'nblocks' to have a value of zero. ext4_bread_batch() ends up not
> reading any of the directory file's blocks. This renders the entries in
> bh_use[] array to continue to have garbage data. buffer_uptodate() on
> bh_use[0] can then return a zero value upon which brelse() function is
> invoked.

Thanks for reporting the problem.  Your patch wasn't quite right since
ret is not an int, but rather a struct buffer_head *, and the right
thing to do in this instnace is to return NULL:

>  	nblocks = dir->i_size >> EXT4_BLOCK_SIZE_BITS(sb);
> +	if (!nblocks) {
> +		ret = NULL;
> +		goto cleanup_and_exit;
> +	}


I'll fix up your patch and include it in the ext4 tree, thanks.

     	    	       	   	   - Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ