| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 28 Oct 2020 15:55:50 +0000
From: Luis Henriques <lhenriques@...e.de>
To: tytso@....edu
Cc: linux-ext4@...r.kernel.org, Luis Henriques <lhenriques@...e.de>
Subject: [PATCH] filefrag: handle invalid st_dev and blksize cases
It is possible to crash filefrag with a "Floating point exception" in
two different scenarios:
1. When fstat() returns a device ID set to 0
2. When FIGETBSZ ioctl returns a blocksize of 0
In both scenarios a divide-by-zero will occur in frag_report() because
variable blksize will be set to zero.
I've managed to trigger this crash with an old CephFS kernel client,
using xfstest generic/519. The first scenario has been fixed by kernel
commit 75c9627efb72 ("ceph: map snapid to anonymous bdev ID"). The
second scenario is also fixed with commit 8f97d1e99149 ("vfs: fix
FIGETBSZ ioctl on an overlayfs file").
However, it is desirable to handle these two scenarios gracefully by
checking these conditions explicitly.
Signed-off-by: Luis Henriques <lhenriques@...e.de>
---
misc/filefrag.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/misc/filefrag.c b/misc/filefrag.c
index 6308bc6d1f91..62d583b2ea23 100644
--- a/misc/filefrag.c
+++ b/misc/filefrag.c
@@ -438,13 +438,13 @@ static int frag_report(const char *filename)
goto out_close;
}
- if (last_device != st.st_dev) {
+ if ((last_device != st.st_dev) || !st.st_dev) {
if (fstatfs(fd, &fsinfo) < 0) {
rc = -errno;
perror("fstatfs");
goto out_close;
}
- if (ioctl(fd, FIGETBSZ, &blksize) < 0)
+ if ((ioctl(fd, FIGETBSZ, &blksize) < 0) || !blksize)
blksize = fsinfo.f_bsize;
if (verbose)
printf("Filesystem type is: %lx\n",
Powered by blists - more mailing lists