From: Theodore Tso <tytso@mit.edu>
To: Andreas Dilger <adilger@clusterfs.com>
Cc: Kalpak Shah <kalpak@clusterfs.com>,
linux-ext4 <linux-ext4@vger.kernel.org>
Subject: Re: Random corruption test for e2fsck
Date: Wed, 11 Jul 2007 13:43:47 -0400 [thread overview]
Message-ID: <20070711174347.GD19456@thunk.org> (raw)
In-Reply-To: <20070711094410.GM6417@schatzie.adilger.int>
On Wed, Jul 11, 2007 at 03:44:11AM -0600, Andreas Dilger wrote:
> I've already found some kind of memory corruption in e2fsck as a result
> of running this as a regular user. It segfaults in qsort() when freeing
> memory. The image that causes this problem is attached, and it happens
> with the unpatched 1.39-WIP Mercurial tree of 2007-05-22. Unfortunately,
> I don't have any decent memory debugging tools handy, so it isn't easy to
> see what is happening. This is on an FC3 i686 system, in case it matters.
Thanks for sending me the test case! Here's the patch, which will
probably cause me to do a 1.40.2 release sooner rather than later...
- Ted
commit 5e9ba85c2694926eb784531d81ba107200cf1a51
Author: Theodore Ts'o <tytso@mit.edu>
Date: Wed Jul 11 13:42:43 2007 -0400
Fix e2fsck segfault on very badly damaged filesystems
A recent change to e2fsck_add_dir_info() to use tdb files to check
filesystems with a very large number of filesystems had a typo which
caused us to resize the wrong data structure. This would cause a
array overrun leading to malloc pointer corruptions. Since we
normally can very accurately predict how big the the dirinfo array
needs to be, this bug only got triggered on very badly corrupted
filesystems.
Thanks to Andreas Dilger for submitting the test case which discovered
this problem, and to Kalpak Shah for writing a random testing script
which created the test case.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
diff --git a/e2fsck/dirinfo.c b/e2fsck/dirinfo.c
index aaa4d09..f583c62 100644
--- a/e2fsck/dirinfo.c
+++ b/e2fsck/dirinfo.c
@@ -126,7 +126,7 @@ void e2fsck_add_dir_info(e2fsck_t ctx, ext2_ino_t ino, ext2_ino_t parent)
ctx->dir_info->size += 10;
retval = ext2fs_resize_mem(old_size, ctx->dir_info->size *
sizeof(struct dir_info),
- &ctx->dir_info);
+ &ctx->dir_info->array);
if (retval) {
ctx->dir_info->size -= 10;
return;
next prev parent reply other threads:[~2007-07-11 17:43 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-10 13:07 Random corruption test for e2fsck Kalpak Shah
2007-07-10 14:58 ` Theodore Tso
2007-07-10 15:42 ` Eric Sandeen
2007-07-11 7:03 ` Kalpak Shah
[not found] ` <20070711094410.GM6417@schatzie.adilger.int>
2007-07-11 17:43 ` Theodore Tso [this message]
2007-07-12 5:15 ` Andreas Dilger
2007-07-12 5:52 ` Andreas Dilger
2007-07-10 15:47 ` Eric Sandeen
2007-07-11 16:03 ` Andreas Dilger
2007-07-11 15:20 ` Andi Kleen
2007-07-12 5:19 ` Andreas Dilger
2007-07-12 11:09 ` Andi Kleen
2007-07-12 22:16 ` Andreas Dilger
2007-07-12 22:24 ` Andi Kleen
2007-07-13 7:12 ` Kalpak Shah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070711174347.GD19456@thunk.org \
--to=tytso@mit.edu \
--cc=adilger@clusterfs.com \
--cc=kalpak@clusterfs.com \
--cc=linux-ext4@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).