lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 Jan 2012 15:30:05 +0800 From: "Li Wang" <liwang@...t.edu.cn> To: ecryptfs@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org Subject: [PATCH] eCryptfs: infinite loop bug Hi, There is an infinite loop bug in eCryptfs, to make it present, just truncate to generate a huge file (>= 4G) on a 32-bit machine under the plain text foleder mounted with eCryptfs, a simple command 'truncate -s 4G dummy' is enough. Note: 4GB is smaller than 4G, therefore the following command 'truncate -s 4GB dummy' will not trigger this bug. The bug comes from a data overflow, the patch below fixes it. Cheers, Li Wang --- signed-off-by: Li Wang <liwang@...t.edu.cn > Yunchuan Wen (wenyunchuan@...inos.com.cn ) --- read_write.c.orig 2012-01-18 10:39:26.000000000 +0800 +++ read_write.c 2012-01-18 19:48:41.484196221 +0800 @@ -130,7 +130,7 @@ int ecryptfs_write(struct inode *ecryptf pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT); size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK); size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page); - size_t total_remaining_bytes = ((offset + size) - pos); + loff_t total_remaining_bytes = ((offset + size) - pos); if (num_bytes > total_remaining_bytes) num_bytes = total_remaining_bytes; --- read_write.c.orig 2012-01-18 10:39:26.000000000 +0800 +++ read_write.c 2012-01-18 19:48:41.484196221 +0800 @@ -130,7 +130,7 @@ int ecryptfs_write(struct inode *ecryptf pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT); size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK); size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page); - size_t total_remaining_bytes = ((offset + size) - pos); + loff_t total_remaining_bytes = ((offset + size) - pos); if (num_bytes > total_remaining_bytes) num_bytes = total_remaining_bytes;
Powered by blists - more mailing lists