Re: [PATCH] ext4: fix null pointer deref on mount

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Theodore Tso <tytso@mit.edu>
To: Thiemo Nagel <thiemo.nagel@ph.tum.de>
Cc: Ext4 Developers List <linux-ext4@vger.kernel.org>
Subject: Re: [PATCH] ext4: fix null pointer deref on mount
Date: Mon, 5 Jan 2009 12:02:59 -0500	[thread overview]
Message-ID: <20090105170259.GB8939@mit.edu> (raw)
In-Reply-To: <4961603B.5020505@ph.tum.de>

On Mon, Jan 05, 2009 at 02:19:55AM +0100, Thiemo Nagel wrote:
> I came across a null pointer dereference when mounting an intentionally  
> corrupted filesystem (cf. debug.dmesg).  In my opinion, the problem lies  
> in ext4_fill_super(), where truncation may occur on setting the integer  
> db_count, which results in too little memory being allocated for  
> sbi->s_group_desc.  The attached patch (against 2.6.28) fixes this by  
> changing the type of db_count to unsigned long.  I also took the  
> opportunity to make the check against sign extension in calculation of  
> db_count more strict, so that it now excludes cases in which db_count  
> comes out as zero.

Usigned unsigned long is almost always wrong, because it's not a fixed
size; it's 32 bits on x86_32, but 64 bits on x86_64.  In this
particular case, db_count is always going to well under 32-bits for
any legitimate filesystem.  If it isn't we need to have better checks;
it sounds like the checks we need are ones that do a better job
checking s_blocks_per_group; am I right in assuming that
s_blocks_per_group was something ridiculous and that is what caused
the overflow?

						- Ted

next prev parent reply	other threads:[~2009-01-05 17:03 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-01-05  1:19 [PATCH] ext4: fix null pointer deref on mount Thiemo Nagel
2009-01-05 17:02 ` Theodore Tso [this message]
2009-01-05 20:50   ` Thiemo Nagel
2009-01-05 21:39     ` Theodore Tso
2009-01-05 22:50       ` Thiemo Nagel
2009-01-05 23:34         ` Theodore Tso
2009-01-05 23:44         ` Theodore Tso
2009-01-06  4:12           ` Theodore Tso
2009-01-22  0:43             ` Thiemo Nagel
2009-01-06 12:46           ` Thiemo Nagel
2009-01-06 13:25             ` Theodore Tso
2009-01-06 16:32               ` Thiemo Nagel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090105170259.GB8939@mit.edu \
    --to=tytso@mit.edu \
    --cc=linux-ext4@vger.kernel.org \
    --cc=thiemo.nagel@ph.tum.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.