From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andreas Dilger <adilger@clusterfs.com>
Subject: Re: ext3 -> crash -> fsck -> readlink -> oops
Date: Fri, 17 May 2002 02:55:08 -0600
Sender: linux-fsdevel-owner@vger.kernel.org
Message-ID: <20020517085508.GP12975@turbolinux.com>
References: <ac1k4v$ce0$1@cesium.transmeta.com> <3CE46CF0.E0C9BCC5@zip.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: "H. Peter Anvin" <hpa@zytor.com>, linux-fsdevel@vger.kernel.org,
	ext2-devel@lists.sourceforge.net
Return-path: <linux-fsdevel-owner@vger.kernel.org>
To: Andrew Morton <akpm@zip.com.au>
Content-Disposition: inline
In-Reply-To: <3CE46CF0.E0C9BCC5@zip.com.au>
List-Id: linux-fsdevel.vger.kernel.org

On May 16, 2002  19:37 -0700, Andrew Morton wrote:
> You seem have a 4k symlink.   I'd have expected fsck to detect that.

I just took a look (built a simple testcase) and it does not detect
string overflows for long symlinks.  It does for fast symlinks, because
the data is available right away when it is checking the inode data,
but the block data isn't validated at that time, nor later in the run.

> It crashed because vfs_readlink ran off the end of the page.
> 
> --- linux-2.4.19-pre8/fs/namei.c	Thu May  2 17:44:56 2002
> +++ linux-akpm/fs/namei.c	Thu May 16 19:34:57 2002
> @@ -1947,7 +1947,7 @@ int vfs_readlink(struct dentry *dentry, 
>  	if (IS_ERR(link))
>  		goto out;
>  
> -	len = strlen(link);
> +	len = strnlen(link, PAGE_CACHE_SIZE);
>  	if (len > (unsigned) buflen)
>  		len = buflen;
>  	if (copy_to_user(buffer, link, len))

This will fix the oops on behalf of the kernel.  I'm just working on a
patch to e2fsck to fix that side of things.

Cheers, Andreas
--
Andreas Dilger
http://www-mddsp.enel.ucalgary.ca/People/adilger/
http://sourceforge.net/projects/ext2resize/