lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 25 Feb 2010 21:38:38 +0000
From:	Daniel J Blueman <daniel.blueman@...il.com>
To:	Josef Bacik <josef@...hat.com>
Cc:	Andrew Lutomirski <luto@....edu>, linux-kernel@...r.kernel.org,
	linux-btrfs@...r.kernel.org
Subject: Re: [2.6.33 regression] btrfs mount causes memory corruption

On Thu, Feb 25, 2010 at 8:38 PM, Josef Bacik <josef@...hat.com> wrote:
> On Thu, Feb 25, 2010 at 03:29:34PM -0500, Andrew Lutomirski wrote:
>> On Thu, Feb 25, 2010 at 3:23 PM, Josef Bacik <josef@...hat.com> wrote:
>> > On Thu, Feb 25, 2010 at 03:01:08PM -0500, Andrew Lutomirski wrote:
>> >> Mounting btrfs corrupts memory and causes nasty crashes within a few
>> >> seconds.  This seems to happen even if the mount fails (note the
>> >> unrecognized mount option).  This is a regression from 2.6.32, and
>> >> I've attached an example.
>> >>
>> >
>> > And it only happens when you mount a btrfs fs?  Can you show me a trace of when
>> > you mount a btrfs fs with valid mount options?  I'd like to see if we're not
>> > cleaning up something properly or what.  Thanks,
>>
>> Seems OK.  Or maybe I just got lucky, but it's crashed every time I
>> tried to mount with 'acl' before.
>>
>> I even went through a couple iterations of trying to mount with
>> 'xattr' and 'user_xattr', both of which failed.
>>
>
> Ok it looks like we have a problem kfree'ing the wrong stuff.  we kstrdup the
> options string, but then strsep screws with the pointer, so when we kfree() it,
> we're not giving it the right pointer.  Please try this patch, and mount with -o
> acl and other such garbage to make sure it actually worked (acl isn't a valid
> mount option btw).  Let me know if it works.  Thanks,
>
> Josef
>
>
> diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
> index 8a1ea6e..f8b4521 100644
> --- a/fs/btrfs/super.c
> +++ b/fs/btrfs/super.c
> @@ -128,7 +128,7 @@ int btrfs_parse_options(struct btrfs_root *root, char *options)
>  {
>        struct btrfs_fs_info *info = root->fs_info;
>        substring_t args[MAX_OPT_ARGS];
> -       char *p, *num;
> +       char *p, *num, *orig;
>        int intarg;
>        int ret = 0;
>
> @@ -143,6 +143,7 @@ int btrfs_parse_options(struct btrfs_root *root, char *options)
>        if (!options)
>                return -ENOMEM;
>
> +       orig = options;
>
>        while ((p = strsep(&options, ",")) != NULL) {
>                int token;
> @@ -280,7 +281,7 @@ int btrfs_parse_options(struct btrfs_root *root, char *options)
>                }
>        }
>  out:
> -       kfree(options);
> +       kfree(orig);
>        return ret;
>  }

The patch is good, and the same as I was testing to fix this issue I
found a day before with -rc8.

Thanks,
  Daniel
-- 
Daniel J Blueman
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ