Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1065434 - [ext3] infinite loop in ext3_dx_find_entry()
Summary: [ext3] infinite loop in ext3_dx_find_entry()
Keywords:
Status: CLOSED EOL
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.11
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukáš Czerner
QA Contact: Filesystem QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-14 16:26 UTC by Cedric Buissart 🐶
Modified: 2018-12-04 17:29 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-02 09:29:07 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 699793 None None None 2017-12-26 16:10:16 UTC

Description Cedric Buissart 🐶 2014-02-14 16:26:58 UTC
>> Description of problem:

ext3_dx_find_entry() may trigger an infinite loop if de's rec_len is 0 (e.g. : bad block, corruption) :

~~~
static struct buffer_head * ext3_dx_find_entry(struct dentry *dentry,
                       struct ext3_dir_entry_2 **res_dir, int *err)
{
[...]
                for (; de < top; de = ext3_next_entry(de))
                if (ext3_match (namelen, name, de)) {            <= %RIP is somewhere within that loop
                        if (!ext3_check_dir_entry("ext3_find_entry",
                                                  dir, de, bh,
                                  (block<<EXT3_BLOCK_SIZE_BITS(sb))
                                          +((char *)de - bh->b_data))) {
                                brelse (bh);
                                goto errout;
                        }
                        *res_dir = de;
                        dx_release (frames);
                        return bh;
                }
~~~

There would be 2 upstream commit that would resolve the issue :

1) upstream "ext3: Use search_dirblock() in ext3_dx_find_entry()"
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5026e90b8668

The search_dirblock() makes sure that rec_len is not zero.

2) upstream "ext3: validate directory entry data before use"
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=275c0a8f



See vmcore analysis in next comment.

Comment 4 Eric Sandeen 2014-02-17 17:04:19 UTC
Lukas, can you take a look at this one?  Sounds like patches exist upstream.

Thanks,
-Eric

Comment 8 RHEL Product and Program Management 2014-02-19 09:22:59 UTC
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.

Comment 12 Mike McCune 2016-03-28 22:55:34 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions


Note You need to log in before you can comment on or make changes to this bug.