From: Dmitry Monakhov <dmonakhov@openvz.org>
To: linux-ext4@vger.kernel.org, Theodore Ts'o <tytso@mit.edu>
Subject: Re: [PATCH] ext2fs: fix integer overflow in rb_get_bmap_range
Date: Tue, 09 Dec 2014 23:48:41 +0400 [thread overview]
Message-ID: <87wq60wqna.fsf@openvz.org> (raw)
In-Reply-To: <1418153416-17750-1-git-send-email-dmonakhov@openvz.org>
Dmitry Monakhov <dmonakhov@openvz.org> writes:
This is the patch for the issue which I complain you about prev
Friday. It takes longer than I expect, but now all my resize tests
succeeded. In fact issue may be triggered in real life situation
if someone use ballooning technique (consume space via fallocate)
> bmap_rb_extent is defined as __u64:blk __u64:count. So count can exceed INT_MAX on
> populated filesystems
>
> TESTCASE: xfstest ext4/004
>
> Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
> ---
> lib/ext2fs/blkmap64_rb.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/lib/ext2fs/blkmap64_rb.c b/lib/ext2fs/blkmap64_rb.c
> index 8d1778d..e290ade 100644
> --- a/lib/ext2fs/blkmap64_rb.c
> +++ b/lib/ext2fs/blkmap64_rb.c
> @@ -733,7 +733,7 @@ static errcode_t rb_get_bmap_range(ext2fs_generic_bitmap bitmap,
> struct rb_node *parent = NULL, *next, **n;
> struct ext2fs_rb_private *bp;
> struct bmap_rb_extent *ext;
> - int count;
> + __u64 count;
> __u64 pos;
>
> bp = (struct ext2fs_rb_private *) bitmap->private;
> @@ -765,9 +765,9 @@ static errcode_t rb_get_bmap_range(ext2fs_generic_bitmap bitmap,
> if (pos >= start + num)
> break;
> if (pos < start) {
> - count -= start - pos;
> - if (count < 0)
> + if (pos + count < start)
> continue;
> + count -= start - pos;
> pos = start;
> }
> if (pos + count > start + num)
> --
> 1.8.3.1
next prev parent reply other threads:[~2014-12-09 19:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-09 19:30 [PATCH] ext2fs: fix integer overflow in rb_get_bmap_range Dmitry Monakhov
2014-12-09 19:48 ` Dmitry Monakhov [this message]
2014-12-11 22:58 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wq60wqna.fsf@openvz.org \
--to=dmonakhov@openvz.org \
--cc=linux-ext4@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.