lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
c963343a11
linux-kernel-test/fs
History
Bob Copeland c963343a11 omfs: fix potential oops when directory size is corrupted 
Testing with a modified fsfuzzer reveals a couple of locations in omfs
where filesystem variables are ultimately used as loop counters with
insufficient sanity checking.  In this case, dir->i_size is used to
compute the number of buckets in the directory hash.  If too large,
readdir will overrun a buffer.

Since it's an invariant that dir->i_size is equal to the sysblock
size, and we already sanity check that, just use that value instead.
This fixes the following oops:

BUG: unable to handle kernel paging request at c978e004
IP: [<c032298e>] omfs_readdir+0x18e/0x32f
Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
Modules linked in:

Pid: 4796, comm: ls Not tainted (2.6.27-rc2 #12)
EIP: 0060:[<c032298e>] EFLAGS: 00010287 CPU: 0
EIP is at omfs_readdir+0x18e/0x32f
EAX: c978d000 EBX: 00000000 ECX: cbfcfaf8 EDX: cb2cf100
ESI: 00001000 EDI: 00000800 EBP: cb2d3f68 ESP: cb2d3f0c
 DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process ls (pid: 4796, ti=cb2d3000 task=cb175f40 task.ti=cb2d3000)
Stack: 00000002 00000000 00000000 c018a820 cb2d3f94 cb2cf100 cbfb0000 ffffff10
       cbfb3b80 cbfcfaf8 000001c9 00000a09 00000000 00000000 00000000 cbfcfbc8
       c9697000 cbfb3b80 22222222 00001000 c08e6cd0 cb2cf100 cbfb3b80 cb2d3f88
Call Trace:
 [<c018a820>] ? filldir64+0x0/0xcd
 [<c018a9f2>] ? vfs_readdir+0x56/0x82
 [<c018a820>] ? filldir64+0x0/0xcd
 [<c018aa7c>] ? sys_getdents64+0x5e/0xa0
 [<c01038bd>] ? sysenter_do_call+0x12/0x31
 =======================
Code: 00 89 f0 89 f3 0f ac f8 14 81 e3 ff ff 0f 00 48 8d
14 c5 b8 01 00 00 89 45 cc 89 55 f0 e9 8c 01 00 00 8b 4d c8 8b 75 f0 8b
41 18 <8b> 54 30 04 8b 04 30 31 f6 89 5d dc 89 d1 8b 55 b8 0f c8 0f c9

Reported-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-08-15 08:35:44 -07:00
..
9p 9p: fix O_APPEND in legacy mode 2008-07-03 09:59:03 -05:00
adfs SL*B: drop kmem cache argument from constructor 2008-07-26 12:00:07 -07:00
affs [PATCH] f_count may wrap around 2008-07-26 20:53:40 -04:00
afs mm: rename page trylock 2008-08-04 21:31:34 -07:00
autofs
autofs4 autofs4: remove unused ioctls 2008-07-24 10:47:33 -07:00
befs SL*B: drop kmem cache argument from constructor 2008-07-26 12:00:07 -07:00
bfs SL*B: drop kmem cache argument from constructor 2008-07-26 12:00:07 -07:00
cifs Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6 2008-08-08 16:18:34 -07:00
coda [PATCH] sanitize __user_walk_fd() et.al. 2008-07-26 20:53:34 -04:00
configfs [PATCH] configfs: Pin configfs subsystems separately from new config_items. 2008-07-31 16:21:13 -07:00
cramfs
debugfs debugfs: Implement debugfs_remove_recursive() 2008-07-21 21:54:59 -07:00
devpts [PATCH] devpts: switch to IDA 2008-08-01 11:25:29 -04:00
dlm dlm: rename structs 2008-08-13 12:47:36 -05:00
ecryptfs eCryptfs: use page_alloc not kmalloc to get a page of memory 2008-07-28 16:30:21 -07:00
efs SL*B: drop kmem cache argument from constructor 2008-07-26 12:00:07 -07:00
exportfs
ext2 vfs: pagecache usage optimization for pagesize!=blocksize 2008-07-28 16:30:21 -07:00
ext3 [PATCH] fix races and leaks in vfs_quota_on() users 2008-08-01 11:25:25 -04:00
ext4 Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 2008-08-03 10:50:44 -07:00
fat fat: Fix allow_utime option 2008-08-02 09:13:55 -07:00
freevxfs
fuse [PATCH] fix MAY_CHDIR/MAY_ACCESS/LOOKUP_ACCESS mess 2008-07-26 20:53:21 -04:00
gfs2 [PATCH] don't pass nameidata to gfs2_lookupi() 2008-07-26 20:53:36 -04:00
hfs [PATCH] f_count may wrap around 2008-07-26 20:53:40 -04:00
hfsplus [PATCH] f_count may wrap around 2008-07-26 20:53:40 -04:00
hostfs [PATCH] sanitize ->permission() prototype 2008-07-26 20:53:14 -04:00
hpfs [patch 05/14] hpfs: dont call permission() 2008-07-26 20:53:13 -04:00
hppfs [patch] hppfs: remove hppfs_permission 2008-07-26 20:53:07 -04:00
hugetlbfs SL*B: drop kmem cache argument from constructor 2008-07-26 12:00:07 -07:00
isofs SL*B: drop kmem cache argument from constructor 2008-07-26 12:00:07 -07:00
jbd Merge branch 'core/locking' into core/urgent 2008-08-12 00:11:49 +02:00
jbd2 Merge branch 'core/locking' into core/urgent 2008-08-12 00:11:49 +02:00
jffs2 [JFFS2] Fix allocation of summary buffer 2008-08-01 10:07:51 +01:00
jfs [PATCH] sanitize ->permission() prototype 2008-07-26 20:53:14 -04:00
lockd Merge branch 'for-2.6.27' of git://linux-nfs.org/~bfields/linux 2008-08-12 16:39:22 -07:00
minix SL*B: drop kmem cache argument from constructor 2008-07-26 12:00:07 -07:00
msdos fatfs: add UTC timestamp option 2008-07-25 10:53:34 -07:00
ncpfs [PATCH] don't pass nameidata to __ncp_lookup_validate() 2008-07-26 20:53:37 -04:00
nfs Revert "UFS: add const to parser token table" 2008-08-04 16:50:38 -07:00
nfs_common
nfsd Merge branch 'for-2.6.27' of git://linux-nfs.org/~bfields/linux 2008-08-12 16:39:22 -07:00
nls
ntfs fs: rename buffer trylock 2008-08-04 21:56:09 -07:00
ocfs2 [PATCH] ocfs2: Release mutex in error handling code 2008-07-31 16:21:14 -07:00
omfs omfs: fix potential oops when directory size is corrupted 2008-08-15 08:35:44 -07:00
openpromfs SL*B: drop kmem cache argument from constructor 2008-07-26 12:00:07 -07:00
partitions fs/partitions/efi: convert to pr_debug 2008-07-25 10:53:44 -07:00
proc proc: fix warnings 2008-08-05 14:33:50 -07:00
qnx4 SL*B: drop kmem cache argument from constructor 2008-07-26 12:00:07 -07:00
ramfs ramfs: enable splice write 2008-07-04 09:52:14 +02:00
reiserfs reiserfs: removed duplicated #include 2008-08-12 16:07:30 -07:00
romfs romfs_readpage: don't report errors for pages beyond i_size 2008-07-30 14:30:34 -07:00
smbfs [PATCH] sanitize ->permission() prototype 2008-07-26 20:53:14 -04:00
sysfs Use WARN() in fs/sysfs 2008-07-26 12:00:07 -07:00
sysv SL*B: drop kmem cache argument from constructor 2008-07-26 12:00:07 -07:00
ubifs [PATCH] get rid of indirect users of namei.h 2008-07-26 20:53:42 -04:00
udf SL*B: drop kmem cache argument from constructor 2008-07-26 12:00:07 -07:00
ufs Revert "UFS: add const to parser token table" 2008-08-04 16:50:38 -07:00
vfat fatfs: add UTC timestamp option 2008-07-25 10:53:34 -07:00
xfs CRED: Introduce credential access wrappers 2008-08-14 09:35:23 +10:00
aio.c [PATCH] f_count may wrap around 2008-07-26 20:53:40 -04:00
anon_inodes.c flag parameters: NONBLOCK in anon_inode_getfd 2008-07-24 10:47:28 -07:00
attr.c [patch 4/4] vfs: immutable inode checking cleanup 2008-07-26 20:53:28 -04:00
bad_inode.c [PATCH] sanitize ->permission() prototype 2008-07-26 20:53:14 -04:00
binfmt_aout.c tracehook: exec 2008-07-26 12:00:08 -07:00
binfmt_elf_fdpic.c binfmt_elf_fdpic: Magical stack pointer index, for NEW_AUX_ENT compat. 2008-07-28 18:10:28 +09:00
binfmt_elf.c tracehook: exec 2008-07-26 12:00:08 -07:00
binfmt_em86.c
binfmt_flat.c tracehook: exec 2008-07-26 12:00:08 -07:00
binfmt_misc.c binfmt_misc: use simple_read_from_buffer() 2008-07-24 10:47:27 -07:00
binfmt_script.c
binfmt_som.c tracehook: exec 2008-07-26 12:00:08 -07:00
bio-integrity.c bio-integrity: remove EXPORT_SYMBOL for bio_integrity_init_slab() 2008-07-28 16:30:21 -07:00
bio.c bio: make use of bvec_nr_vecs 2008-08-06 12:30:04 +02:00
block_dev.c [PATCH] switch mtd and dm-table to lookup_bdev() 2008-08-01 11:25:31 -04:00
buffer.c fs: rename buffer trylock 2008-08-04 21:56:09 -07:00
char_dev.c Remove the lock_kernel() call from chrdev_open() 2008-06-20 14:05:53 -06:00
compat_binfmt_elf.c
compat_ioctl.c remove unused #include <linux/dirent.h>'s 2008-07-25 10:53:34 -07:00
compat.c [PATCH] sanitize __user_walk_fd() et.al. 2008-07-26 20:53:34 -04:00
dcache.c dcache: Add case-insensitive support d_ci_add() routine 2008-07-28 16:58:39 +10:00
dcookies.c
direct-io.c dio: use get_user_pages_fast 2008-07-26 12:00:06 -07:00
dnotify.c [PATCH] split linux/file.h 2008-05-01 13:08:16 -04:00
dquot.c [PATCH] fix races and leaks in vfs_quota_on() users 2008-08-01 11:25:25 -04:00
drop_caches.c
eventfd.c flag parameters: check magic constants 2008-07-24 10:47:29 -07:00
eventpoll.c fs/eventpoll.c: fix sys_epoll_create1() comment 2008-08-12 16:07:30 -07:00
exec.c exec: include pagemap.h again to fix build 2008-07-28 16:30:20 -07:00
fcntl.c [PATCH] clean dup2() up a bit 2008-08-01 11:25:24 -04:00
fifo.c [PATCH] reuse xxx_fifo_fops for xxx_pipe_fops 2008-07-26 20:53:06 -04:00
file_table.c [PATCH] f_count may wrap around 2008-07-26 20:53:40 -04:00
file.c [PATCH] merge locate_fd() and get_unused_fd() 2008-08-01 11:25:23 -04:00
filesystems.c
fs-writeback.c VFS: export sync_sb_inodes 2008-07-14 19:10:52 +03:00
generic_acl.c
inode.c fs/inode.c: properly init address_space->writeback_index 2008-08-15 08:35:44 -07:00
inotify_user.c [PATCH] sanitize __user_walk_fd() et.al. 2008-07-26 20:53:34 -04:00
inotify.c
internal.h
ioctl.c
ioprio.c
Kconfig omfs: update kbuild to include OMFS 2008-07-26 12:00:05 -07:00
Kconfig.binfmt sh: Initial ELF FDPIC support. 2008-07-28 18:10:28 +09:00
libfs.c VFS: increase pseudo-filesystem block size to PAGE_SIZE 2008-07-30 09:41:44 -07:00
locks.c SL*B: drop kmem cache argument from constructor 2008-07-26 12:00:07 -07:00
Makefile omfs: update kbuild to include OMFS 2008-07-26 12:00:05 -07:00
mbcache.c
mpage.c vfs: add hooks for ext4's delayed allocation support 2008-07-11 19:27:31 -04:00
namei.c [patch 3/4] vfs: remove unused nameidata argument of may_create() 2008-08-01 11:25:30 -04:00
namespace.c [PATCH] pass struct path * to do_add_mount() 2008-08-01 11:25:32 -04:00
nfsctl.c
no-block.c
open.c [PATCH] merge locate_fd() and get_unused_fd() 2008-08-01 11:25:23 -04:00
pipe.c [PATCH] reuse xxx_fifo_fops for xxx_pipe_fops 2008-07-26 20:53:06 -04:00
pnode.c
pnode.h
posix_acl.c
quota_v1.c quota: move function-macros from quota.h to quotaops.h 2008-07-25 10:53:35 -07:00
quota_v2.c quota: move function-macros from quota.h to quotaops.h 2008-07-25 10:53:35 -07:00
quota.c quota: cleanup loop in sync_dquots() 2008-07-25 10:53:35 -07:00
read_write.c Remove BKL from remote_llseek v2 2008-07-02 15:06:27 -06:00
read_write.h
readdir.c
select.c Fix performance regression on lmbench select benchmark 2008-06-22 12:23:15 -07:00
seq_file.c seq_file: add seq_cpumask(), seq_nodemask() 2008-08-12 16:07:30 -07:00
signalfd.c flag parameters: check magic constants 2008-07-24 10:47:29 -07:00
splice.c mm: rename page trylock 2008-08-04 21:31:34 -07:00
stack.c
stat.c [PATCH] sanitize __user_walk_fd() et.al. 2008-07-26 20:53:34 -04:00
super.c fix soft lock up at NFS mount via per-SB LRU-list of unused dentries 2008-07-24 10:47:15 -07:00
sync.c SYNC_FILE_RANGE_WRITE may and will block. Document that. 2008-07-24 10:47:17 -07:00
timerfd.c flag parameters: check magic constants 2008-07-24 10:47:29 -07:00
utimes.c [PATCH] sanitize __user_walk_fd() et.al. 2008-07-26 20:53:34 -04:00
xattr_acl.c
xattr.c [PATCH] sanitize __user_walk_fd() et.al. 2008-07-26 20:53:34 -04:00