From: Andy Isaacson <adi@hexapodia.org>
To: Bill Davidsen <davidsen@tmr.com>
Cc: linux-kernel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
Neil Brown <neilb@suse.de>,
linux-raid@vger.kernel.org
Subject: Re: [PATCH] fix read past end of array in md/linear.c
Date: Thu, 8 Mar 2007 22:33:27 -0800 [thread overview]
Message-ID: <20070309063327.GM29544@hexapodia.org> (raw)
In-Reply-To: <45F0C87A.9000400@tmr.com>
On Thu, Mar 08, 2007 at 09:37:46PM -0500, Bill Davidsen wrote:
> Andy Isaacson wrote:
> >% dd bs=1 seek=840716287 if=/dev/zero of=d1 count=1
> >% for i in 2 3 4; do dd if=/dev/zero of=d$i bs=1k count=$(($i+150)); done
[snip]
> >- for (j=i; i<cnt-1 && sz < min_spacing ; j++)
> >+ for (j=i; j<cnt-1 && sz < min_spacing ; j++)
> > sz += conf->disks[j].size;
>
> After looking at that code, I have to wonder how this ever worked, or if
> in fact anyone ever took this path. I assume that the value of sz caused
> the loop exit in all cases, since this has been in the code at least
> since 2.6.15, oldest thing I have handy.
Well, just about any sane set of device sizes causes sz to rapidly
exceed min_spacing. You'll notice that my failure case is
{ 800MB, 151kB, 152kB, 153kB, 154kB }.
And even in the failure case, it's just a read from uninitialized
memory, which is probably either a small value (so it won't make the
answer very wrong) or a large value (so it will be rejected in the
immediately following code). In my case it happened to be some slab
poison of 0xa5a5a5a5 or something like that, and the code went on just
fine.
-andy
prev parent reply other threads:[~2007-03-09 6:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-08 20:52 [PATCH] fix read past end of array in md/linear.c Andy Isaacson
2007-03-09 2:37 ` Bill Davidsen
2007-03-09 6:33 ` Andy Isaacson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070309063327.GM29544@hexapodia.org \
--to=adi@hexapodia.org \
--cc=akpm@linux-foundation.org \
--cc=davidsen@tmr.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-raid@vger.kernel.org \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).