lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 28 Oct 2020 15:55:50 +0000 From: Luis Henriques <lhenriques@...e.de> To: tytso@....edu Cc: linux-ext4@...r.kernel.org, Luis Henriques <lhenriques@...e.de> Subject: [PATCH] filefrag: handle invalid st_dev and blksize cases It is possible to crash filefrag with a "Floating point exception" in two different scenarios: 1. When fstat() returns a device ID set to 0 2. When FIGETBSZ ioctl returns a blocksize of 0 In both scenarios a divide-by-zero will occur in frag_report() because variable blksize will be set to zero. I've managed to trigger this crash with an old CephFS kernel client, using xfstest generic/519. The first scenario has been fixed by kernel commit 75c9627efb72 ("ceph: map snapid to anonymous bdev ID"). The second scenario is also fixed with commit 8f97d1e99149 ("vfs: fix FIGETBSZ ioctl on an overlayfs file"). However, it is desirable to handle these two scenarios gracefully by checking these conditions explicitly. Signed-off-by: Luis Henriques <lhenriques@...e.de> --- misc/filefrag.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/misc/filefrag.c b/misc/filefrag.c index 6308bc6d1f91..62d583b2ea23 100644 --- a/misc/filefrag.c +++ b/misc/filefrag.c @@ -438,13 +438,13 @@ static int frag_report(const char *filename) goto out_close; } - if (last_device != st.st_dev) { + if ((last_device != st.st_dev) || !st.st_dev) { if (fstatfs(fd, &fsinfo) < 0) { rc = -errno; perror("fstatfs"); goto out_close; } - if (ioctl(fd, FIGETBSZ, &blksize) < 0) + if ((ioctl(fd, FIGETBSZ, &blksize) < 0) || !blksize) blksize = fsinfo.f_bsize; if (verbose) printf("Filesystem type is: %lx\n",
Powered by blists - more mailing lists