From: Eric Sesterhenn <snakebyte@gmx.de>
To: Phillip Lougher <phil.lougher@gmail.com>
Cc: "Tom Rini" <trini@kernel.crashing.org>,
chris@zankel.net, "Jörn Engel" <joern@logfs.org>,
linuxppc-dev@ozlabs.org, rpurdie@rpsys.net,
linux-fsdevel@vger.kernel.org
Subject: Re: Warning and BUG with btrfs and corrupted image
Date: Fri, 23 Jan 2009 09:56:21 +0100 [thread overview]
Message-ID: <20090123085620.GA12650@alice> (raw)
In-Reply-To: <cce9e37e0901211815l2195858cob6e68ac8ad93e679@mail.gmail.com>
* Phillip Lougher (phil.lougher@gmail.com) wrote:
> On Tue, Jan 20, 2009 at 4:51 PM, Eric Sesterhenn <snakebyte@gmx.de> wrote:
>
> > I already tested squashfs. One issue is basically a problem with
> > the zlib-api for which i just posted a patch here
> > http://marc.info/?t=123212807300003&r=1&w=2
> >
>
> Thanks for testing Squashfs. I've not ignored your emails, but I've
> been busy job hunting, and so have not had time to look into this
> until now.
no problem, made me take a closer look at the issue :-) Hope you were
successfull
> I hardened Squashfs against fsfuzzer back in November 2006 (remember
> the month of kernel bugs, or MOKB, which highlighted a number of
> issues with Squashfs). Your testing has thrown up a regression that I
> inadvertently put in last month!
Thats why I do the fsfuzzer tests for every kernel i test :-)
will you do the "wheter" -> "whether" change for the other patch locally
and push it or do you want me to send a changed version?
> > The other is an overwritten redzone (also reported in this thread
> > http://marc.info/?l=linux-fsdevel&m=123212794425497&w=2)
> > Looks like a length parameter is passed to squashfs_read_data
> > which is bigger than ((msblk->block_size >> msblk->devblksize_log2) +
> > 1), so the kcalloced buffer gets overwritten later.
>
> As part of the mainlining effort I changed Squashfs to allocate
> buffers in 4K page sizes rather than use vmalloced large buffers. As
> far as zlib goes, it means zlib_inflate now decompresses into a
> sequence of 4K buffers rather than one large buffer. What this means
> is zlib_inflate is called repeatedly moving to the next 4K page
> whenever zlib_inflate asks for another buffer (stream.avail_out == 0).
>
> Your testing have thrown up the case where zlib_inflate is asking for
> too many output buffers, i.e. it has returned with Z_OK,
> stream.avail_in !=0 (more input data to be processed), and
> stream.avail_out == 0 (I'd like another output buffer). but it has
> consumed all the output buffers. This isn't checked (the code assumes
> zlib will do the right thing on corrupt data and bomb out). My guess
> is either zlib_inflate is getting confused with corrupt data, or
> fsfuzzer gets lucky sometimes and corrupts the filesystem to point to
> another valid but larger compressed block (i.e. in your test
> filesystems the 4K datablock is being corrupted to point to an 8K
> metadata block).
>
> This ultimately leads to an oops in zlib_inflate where it has been
> passed a bogus or NULL steam.next_out pointer.
>
> I'll create a patch and send it to you if you're happy to test it.
Sure, just throw it in my direction.
Greetings, Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Sesterhenn <snakebyte@gmx.de>
To: Phillip Lougher <phil.lougher@gmail.com>
Cc: "Tom Rini" <trini@kernel.crashing.org>,
"Jörn Engel" <joern@logfs.org>,
linux-fsdevel@vger.kernel.org, jacmet@sunsite.dk,
rpurdie@rpsys.net, linuxppc-dev@ozlabs.org, chris@zankel.net
Subject: Re: Warning and BUG with btrfs and corrupted image
Date: Fri, 23 Jan 2009 09:56:21 +0100 [thread overview]
Message-ID: <20090123085620.GA12650@alice> (raw)
In-Reply-To: <cce9e37e0901211815l2195858cob6e68ac8ad93e679@mail.gmail.com>
* Phillip Lougher (phil.lougher@gmail.com) wrote:
> On Tue, Jan 20, 2009 at 4:51 PM, Eric Sesterhenn <snakebyte@gmx.de> wrote:
>
> > I already tested squashfs. One issue is basically a problem with
> > the zlib-api for which i just posted a patch here
> > http://marc.info/?t=123212807300003&r=1&w=2
> >
>
> Thanks for testing Squashfs. I've not ignored your emails, but I've
> been busy job hunting, and so have not had time to look into this
> until now.
no problem, made me take a closer look at the issue :-) Hope you were
successfull
> I hardened Squashfs against fsfuzzer back in November 2006 (remember
> the month of kernel bugs, or MOKB, which highlighted a number of
> issues with Squashfs). Your testing has thrown up a regression that I
> inadvertently put in last month!
Thats why I do the fsfuzzer tests for every kernel i test :-)
will you do the "wheter" -> "whether" change for the other patch locally
and push it or do you want me to send a changed version?
> > The other is an overwritten redzone (also reported in this thread
> > http://marc.info/?l=linux-fsdevel&m=123212794425497&w=2)
> > Looks like a length parameter is passed to squashfs_read_data
> > which is bigger than ((msblk->block_size >> msblk->devblksize_log2) +
> > 1), so the kcalloced buffer gets overwritten later.
>
> As part of the mainlining effort I changed Squashfs to allocate
> buffers in 4K page sizes rather than use vmalloced large buffers. As
> far as zlib goes, it means zlib_inflate now decompresses into a
> sequence of 4K buffers rather than one large buffer. What this means
> is zlib_inflate is called repeatedly moving to the next 4K page
> whenever zlib_inflate asks for another buffer (stream.avail_out == 0).
>
> Your testing have thrown up the case where zlib_inflate is asking for
> too many output buffers, i.e. it has returned with Z_OK,
> stream.avail_in !=0 (more input data to be processed), and
> stream.avail_out == 0 (I'd like another output buffer). but it has
> consumed all the output buffers. This isn't checked (the code assumes
> zlib will do the right thing on corrupt data and bomb out). My guess
> is either zlib_inflate is getting confused with corrupt data, or
> fsfuzzer gets lucky sometimes and corrupts the filesystem to point to
> another valid but larger compressed block (i.e. in your test
> filesystems the 4K datablock is being corrupted to point to an 8K
> metadata block).
>
> This ultimately leads to an oops in zlib_inflate where it has been
> passed a bogus or NULL steam.next_out pointer.
>
> I'll create a patch and send it to you if you're happy to test it.
Sure, just throw it in my direction.
Greetings, Eric
next prev parent reply other threads:[~2009-01-23 8:56 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-13 14:21 Warning and BUG with btrfs and corrupted image Eric Sesterhenn
2009-01-13 14:40 ` Chris Mason
2009-01-13 14:43 ` Eric Sesterhenn
2009-01-15 2:13 ` Chris Mason
2009-01-18 17:40 ` Pavel Machek
2009-01-20 6:31 ` Eric Sesterhenn
2009-01-20 9:34 ` Pavel Machek
2009-01-20 10:11 ` Dave Chinner
2009-01-20 10:15 ` Eric Sesterhenn
2009-01-20 12:59 ` Dave Chinner
2009-01-20 13:28 ` Christoph Hellwig
2009-01-20 22:20 ` Pavel Machek
2009-01-21 4:00 ` Dave Chinner
2009-01-26 16:27 ` Pavel Machek
2009-01-26 20:06 ` [Discussion] Apparent inconsistancies in use of io_align, io_width & sector_size ashford
2009-02-01 1:40 ` Warning and BUG with btrfs and corrupted image Dave Chinner
2009-02-04 18:29 ` Pavel Machek
2009-02-05 8:59 ` Dave Chinner
2009-02-05 8:59 ` Dave Chinner
2009-02-05 9:02 ` Pavel Machek
2009-02-05 13:02 ` Chris Mason
2009-02-05 13:50 ` Pavel Machek
2009-02-05 14:19 ` jim owens
2009-02-25 19:54 ` Pavel Machek
2009-01-20 17:34 ` Eric Sesterhenn
2009-01-20 22:18 ` Pavel Machek
2009-01-21 9:36 ` Eric Sesterhenn
2009-01-21 3:57 ` Corrupted XFS log replay oops. (was Re: Warning and BUG with btrfs and corrupted image) Dave Chinner
2009-01-21 3:57 ` Dave Chinner
2009-01-21 4:03 ` Nick Piggin
2009-01-22 4:37 ` [PATCH] Re: Corrupted XFS log replay oops Dave Chinner
2009-01-22 4:37 ` Dave Chinner
2009-01-22 5:50 ` Felix Blyakher
2009-01-22 5:50 ` Felix Blyakher
2009-01-22 6:11 ` Christoph Hellwig
2009-01-22 6:11 ` Christoph Hellwig
2009-01-22 8:35 ` Eric Sesterhenn
2009-01-22 8:35 ` Eric Sesterhenn
2009-01-22 10:06 ` Eric Sesterhenn
2009-01-22 10:06 ` Eric Sesterhenn
2009-01-22 23:37 ` Dave Chinner
2009-01-22 23:37 ` Dave Chinner
2009-01-23 1:10 ` Dave Chinner
2009-01-23 1:10 ` Dave Chinner
2009-01-22 23:35 ` Dave Chinner
2009-01-22 23:35 ` Dave Chinner
2009-01-23 0:02 ` Dave Chinner
2009-01-23 0:02 ` Dave Chinner
2009-01-23 0:06 ` Christoph Hellwig
2009-01-23 0:06 ` Christoph Hellwig
2009-01-23 6:20 ` Felix Blyakher
2009-01-23 6:20 ` Felix Blyakher
2009-02-03 20:48 ` Eric Sandeen
2009-01-21 4:03 ` Corrupted XFS log replay oops. (was Re: Warning and BUG with btrfs and corrupted image) Dave Chinner
2009-01-21 4:03 ` Dave Chinner
2009-01-20 13:11 ` Warning and BUG with btrfs and corrupted image Chris Mason
2009-01-20 16:51 ` Eric Sesterhenn
2009-01-22 2:15 ` Phillip Lougher
2009-01-23 8:56 ` Eric Sesterhenn [this message]
2009-01-23 8:56 ` Eric Sesterhenn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090123085620.GA12650@alice \
--to=snakebyte@gmx.de \
--cc=chris@zankel.net \
--cc=joern@logfs.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linuxppc-dev@ozlabs.org \
--cc=phil.lougher@gmail.com \
--cc=rpurdie@rpsys.net \
--cc=trini@kernel.crashing.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.