| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Feb 2009 14:31:20 +0100 (CET) From: Geert Uytterhoeven <Geert.Uytterhoeven@...ycom.com> To: Mark Nelson <markn@....ibm.com> cc: linuxppc-dev@...abs.org, Jan Kara <jack@....cz>, Jan Kara <jack@...e.cz>, Mel Gorman <mel@....ul.ie>, linux-kernel <linux-kernel@...r.kernel.org>, Paul Mackerras <paulus@...ba.org>, Andrew Morton <akpm@...ux-foundation.org>, linux-ext4@...r.kernel.org Subject: Re: Crash (ext3 ) during 2.6.29-rc6 boot On Wed, 25 Feb 2009, Mark Nelson wrote: > On Wed, 25 Feb 2009 08:50:46 pm Geert Uytterhoeven wrote: > > On Wed, 25 Feb 2009, Mark Nelson wrote: > > > On Tue, 24 Feb 2009 05:38:37 pm Sachin P. Sant wrote: > > > > Jan Kara wrote: > > > > > Hmm, OK. But then I'm not sure how that can happen. Obviously, memcpy > > > > > somehow got beyond end of the page referenced by bh->b_data. So it means > > > > > that le16_to_cpu(entry->e_value_offs) + size > page_size. But > > > > > ext3_xattr_find_entry() calls ext3_xattr_check_entry() which in > > > > > particular checks whether e_value_offs + e_value_size isn't greater than > > > > > bh->b_size. So I see no way how memcpy can get beyond end of the page. > > > > > Sachin, is the problem reproducible? If yes, can you send us contents > > > > > > > > > Yes, i am able to recreate this problem easily. As i had mentioned if the > > > > earlier kernel is booted with selinux enabled and then 2.6.29-rc6 is booted > > > > i get this crash. But if i specify selinux=0 at command line, 2.6.29-rc6 boots > > > > without any problem. > > > > > > Hi Sanchin and Geert, > > > > > > Does the patch below fix the problems you're seeing? If it does I'll send > > > a properly written up and formatted patch to linuxppc-dev (as well as > > > another one to fix the same problem in copy_tofrom_user()). > > > > Unfortunately not, now it crashes while accessing the memory pointed to by > > GPR16, in > > > > NIP: copy_page_range+x0608/0x628 > > LR: dup_mm+0x2e4/0x428 > > Trace: debug_table+0xcc70/0x1afe0 (unreliable) > > dup_mm+0x2e4/0x428 > > copy_process+0x86c/0xf9c > > do_fork+0x188/0x39c > > sys_clone+0x58/0x70 > > ppc_clone+0x8/0xc > > > > However, after reverting 25d6e2d7c58ddc4a3b614fc5381591c0cfe66556, I still see > > similar problems as above (crash in copy_page_range()). > > Which makes me think that > > 1. Your new patch fixes the problem introduced by 25d6e2d7, > > 2. There's still another issue than the one introduced by 25d6e2d7. > > Does the following patch fix the errors you're seeing? (it applies the > same fix as the previous patch but this time to copy_tofrom_user, which > I updated in a4e22f02f5b6518c1484faea1f88d81802b9feac) Thanks, but I still get crashes in copy_page_range(). With kind regards, Geert Uytterhoeven Software Architect Sony Techsoft Centre Europe The Corporate Village · Da Vincilaan 7-D1 · B-1935 Zaventem · Belgium Phone: +32 (0)2 700 8453 Fax: +32 (0)2 700 8622 E-mail: Geert.Uytterhoeven@...ycom.com Internet: http://www.sony-europe.com/ A division of Sony Europe (Belgium) N.V. VAT BE 0413.825.160 · RPR Brussels Fortis · BIC GEBABEBB · IBAN BE41293037680010 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists