Date: Mon, 14 Oct 2002 22:16:40 +0200 (CEST) From: Mark Kettenis <kettenis@chello.nl> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/44060: [PATCH] for panic in ext2fs Message-ID: <200210142016.g9EKGelQ003887@elgar.kettenis.dyndns.org>
next in thread | raw e-mail | index | archive | help
>Number: 44060 >Category: kern >Synopsis: [PATCH] for panic in ext2fs >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Oct 14 13:20:02 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Mark Kettenis >Release: FreeBSD 5.0-CURRENT i386 >Organization: >Environment: System: FreeBSD elgar.kettenis.dyndns.org 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Mon Oct 14 13:24:27 CEST 2002 kettenis@elgar.kettenis.dyndns.org:/usr/obj/usr/src/sys/GENERIC i386 >Description: There's a bug in ext2fs that leads to a kernel panic in -CURRENT (unless option NO_GEOM is present in your config). >How-To-Repeat: In my case this happens when I try to run the GDB testsuite with the GDB sources mounted from an ext2fs filesystem. >Fix: The attached patch fixes the bug. In the fragment of code displayed in the patch, `ep' is a pointer into `bp->b_data' (where `bp' is a `struct buf'). Since the code leading up to this point brelse()'s the buffer, we're potentially accessing memory that's no longer there. In a GEOMised kernel this seems to be happening, and the resulting page fault leads to a kernel panic. Storing the value of ep->name_len in a local variable should solve the problem. It turns out there is already such a variable called `namelen', so this patch simply uses that variable. Seems to solve the problem for me. This patch is against version 1.36 of ext2_lookup.c http://members.chello.nl/~m.m.kettenis/FreeBSD/5-current/ext2fs.patch. Mark --- /usr/src/sys/gnu/ext2fs/ext2_lookup.c.orig Thu Aug 15 22:55:01 2002 +++ /usr/src/sys/gnu/ext2fs/ext2_lookup.c Mon Oct 14 21:19:30 2002 @@ -563,10 +563,9 @@ found: * Check that directory length properly reflects presence * of this entry. */ - if (entryoffsetinblock + EXT2_DIR_REC_LEN(ep->name_len) - > dp->i_size) { + if (entryoffsetinblock + EXT2_DIR_REC_LEN(namlen) > dp->i_size) { ext2_dirbad(dp, dp->i_offset, "i_size too small"); - dp->i_size = entryoffsetinblock+EXT2_DIR_REC_LEN(ep->name_len); + dp->i_size = entryoffsetinblock + EXT2_DIR_REC_LEN(namlen); dp->i_flag |= IN_CHANGE | IN_UPDATE; } >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210142016.g9EKGelQ003887>