lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Dec 2017 15:09:47 -0500 From: Theodore Ts'o <tytso@....edu> To: Chandan Rajendra <chandan@...ux.vnet.ibm.com> Cc: linux-ext4@...r.kernel.org, abdhalee@...ux.vnet.ibm.com Subject: Re: [PATCH] ext4: Fix crash when working on a fuzzed ext2 fs image On Thu, Dec 07, 2017 at 11:08:18AM +0530, Chandan Rajendra wrote: > On a ppc64 machine, when mounting a fuzzed ext2 image (generated by > fsfuzzer) the following call trace is seen, > ... > > This happens because the directory that ext4_find_entry() looks up has > inode->i_size that is less than the block size of the filesystem. This > causes 'nblocks' to have a value of zero. ext4_bread_batch() ends up not > reading any of the directory file's blocks. This renders the entries in > bh_use[] array to continue to have garbage data. buffer_uptodate() on > bh_use[0] can then return a zero value upon which brelse() function is > invoked. Thanks for reporting the problem. Your patch wasn't quite right since ret is not an int, but rather a struct buffer_head *, and the right thing to do in this instnace is to return NULL: > nblocks = dir->i_size >> EXT4_BLOCK_SIZE_BITS(sb); > + if (!nblocks) { > + ret = NULL; > + goto cleanup_and_exit; > + } I'll fix up your patch and include it in the ext4 tree, thanks. - Ted
Powered by blists - more mailing lists