| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6278d2221002251338x6d235485t832ea6238272b9a7@mail.gmail.com>
Date: Thu, 25 Feb 2010 21:38:38 +0000
From: Daniel J Blueman <daniel.blueman@...il.com>
To: Josef Bacik <josef@...hat.com>
Cc: Andrew Lutomirski <luto@....edu>, linux-kernel@...r.kernel.org,
linux-btrfs@...r.kernel.org
Subject: Re: [2.6.33 regression] btrfs mount causes memory corruption
On Thu, Feb 25, 2010 at 8:38 PM, Josef Bacik <josef@...hat.com> wrote:
> On Thu, Feb 25, 2010 at 03:29:34PM -0500, Andrew Lutomirski wrote:
>> On Thu, Feb 25, 2010 at 3:23 PM, Josef Bacik <josef@...hat.com> wrote:
>> > On Thu, Feb 25, 2010 at 03:01:08PM -0500, Andrew Lutomirski wrote:
>> >> Mounting btrfs corrupts memory and causes nasty crashes within a few
>> >> seconds. This seems to happen even if the mount fails (note the
>> >> unrecognized mount option). This is a regression from 2.6.32, and
>> >> I've attached an example.
>> >>
>> >
>> > And it only happens when you mount a btrfs fs? Can you show me a trace of when
>> > you mount a btrfs fs with valid mount options? I'd like to see if we're not
>> > cleaning up something properly or what. Thanks,
>>
>> Seems OK. Or maybe I just got lucky, but it's crashed every time I
>> tried to mount with 'acl' before.
>>
>> I even went through a couple iterations of trying to mount with
>> 'xattr' and 'user_xattr', both of which failed.
>>
>
> Ok it looks like we have a problem kfree'ing the wrong stuff. we kstrdup the
> options string, but then strsep screws with the pointer, so when we kfree() it,
> we're not giving it the right pointer. Please try this patch, and mount with -o
> acl and other such garbage to make sure it actually worked (acl isn't a valid
> mount option btw). Let me know if it works. Thanks,
>
> Josef
>
>
> diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
> index 8a1ea6e..f8b4521 100644
> --- a/fs/btrfs/super.c
> +++ b/fs/btrfs/super.c
> @@ -128,7 +128,7 @@ int btrfs_parse_options(struct btrfs_root *root, char *options)
> {
> struct btrfs_fs_info *info = root->fs_info;
> substring_t args[MAX_OPT_ARGS];
> - char *p, *num;
> + char *p, *num, *orig;
> int intarg;
> int ret = 0;
>
> @@ -143,6 +143,7 @@ int btrfs_parse_options(struct btrfs_root *root, char *options)
> if (!options)
> return -ENOMEM;
>
> + orig = options;
>
> while ((p = strsep(&options, ",")) != NULL) {
> int token;
> @@ -280,7 +281,7 @@ int btrfs_parse_options(struct btrfs_root *root, char *options)
> }
> }
> out:
> - kfree(options);
> + kfree(orig);
> return ret;
> }
The patch is good, and the same as I was testing to fix this issue I
found a day before with -rc8.
Thanks,
Daniel
--
Daniel J Blueman
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists