From: Eric Sandeen <sandeen@sandeen.net>
To: linux-kernel Mailing List <linux-kernel@vger.kernel.org>
Cc: linux-fsdevel <linux-fsdevel@vger.kernel.org>
Subject: [PATCH V2] limit minixfs printks on corrupted dir i_size, CVE-2006-6058
Date: Thu, 09 Aug 2007 15:40:00 -0500 [thread overview]
Message-ID: <46BB7BA0.70107@sandeen.net> (raw)
In-Reply-To: <46BB6101.4030307@redhat.com>
Perhaps this is simpler, and preferable. Thanks to adilger for
reminding me about printk_ratelimit. :)
----
This attempts to address CVE-2006-6058
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058
first reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html
Essentially a corrupted minix dir inode reporting a very large
i_size will loop for a very long time in minix_readdir, minix_find_entry,
etc, because on EIO they just move on to try the next page. This is
under the BKL, printk-storming as well. This can lock up the machine
for a very long time. Simply ratelimiting the printks gets things back
under control.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Index: linux-2.6.22-rc4/fs/minix/itree_v1.c
===================================================================
--- linux-2.6.22-rc4.orig/fs/minix/itree_v1.c
+++ linux-2.6.22-rc4/fs/minix/itree_v1.c
@@ -27,7 +27,8 @@ static int block_to_path(struct inode *
if (block < 0) {
printk("minix_bmap: block<0\n");
} else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) {
- printk("minix_bmap: block>big\n");
+ if (printk_ratelimit())
+ printk("minix_bmap: block>big\n");
} else if (block < 7) {
offsets[n++] = block;
} else if ((block -= 7) < 512) {
Index: linux-2.6.22-rc4/fs/minix/itree_v2.c
===================================================================
--- linux-2.6.22-rc4.orig/fs/minix/itree_v2.c
+++ linux-2.6.22-rc4/fs/minix/itree_v2.c
@@ -28,7 +28,8 @@ static int block_to_path(struct inode *
if (block < 0) {
printk("minix_bmap: block<0\n");
} else if (block >= (minix_sb(inode->i_sb)->s_max_size/sb->s_blocksize)) {
- printk("minix_bmap: block>big\n");
+ if (printk_ratelimit())
+ printk("minix_bmap: block>big\n");
} else if (block < 7) {
offsets[n++] = block;
} else if ((block -= 7) < 256) {
next prev parent reply other threads:[~2007-08-09 20:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-09 18:46 [PATCH] limit minixfs dir_pages on corrupted dir i_size, CVE-2006-6058 Eric Sandeen
2007-08-09 20:40 ` Eric Sandeen [this message]
[not found] <8Qlff-3jX-29@gated-at.bofh.it>
[not found] ` <8Qn7m-6li-27@gated-at.bofh.it>
2007-08-09 21:47 ` [PATCH V2] limit minixfs printks " Bodo Eggert
2007-08-09 21:47 ` Bodo Eggert
2007-08-09 22:08 ` Eric Sandeen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46BB7BA0.70107@sandeen.net \
--to=sandeen@sandeen.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.