Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1065434 - [ext3] infinite loop in ext3_dx_find_entry()
Summary: [ext3] infinite loop in ext3_dx_find_entry()
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.11
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Lukáš Czerner
QA Contact: Filesystem QE
Depends On:
TreeView+ depends on / blocked
Reported: 2014-02-14 16:26 UTC by Cedric Buissart 🐶
Modified: 2018-12-04 17:29 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2018-10-02 09:29:07 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 699793 None None None 2017-12-26 16:10:16 UTC

Description Cedric Buissart 🐶 2014-02-14 16:26:58 UTC
>> Description of problem:

ext3_dx_find_entry() may trigger an infinite loop if de's rec_len is 0 (e.g. : bad block, corruption) :

static struct buffer_head * ext3_dx_find_entry(struct dentry *dentry,
                       struct ext3_dir_entry_2 **res_dir, int *err)
                for (; de < top; de = ext3_next_entry(de))
                if (ext3_match (namelen, name, de)) {            <= %RIP is somewhere within that loop
                        if (!ext3_check_dir_entry("ext3_find_entry",
                                                  dir, de, bh,
                                          +((char *)de - bh->b_data))) {
                                brelse (bh);
                                goto errout;
                        *res_dir = de;
                        dx_release (frames);
                        return bh;

There would be 2 upstream commit that would resolve the issue :

1) upstream "ext3: Use search_dirblock() in ext3_dx_find_entry()"

The search_dirblock() makes sure that rec_len is not zero.

2) upstream "ext3: validate directory entry data before use"

See vmcore analysis in next comment.

Comment 4 Eric Sandeen 2014-02-17 17:04:19 UTC
Lukas, can you take a look at this one?  Sounds like patches exist upstream.


Comment 8 RHEL Product and Program Management 2014-02-19 09:22:59 UTC
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.

Comment 12 Mike McCune 2016-03-28 22:55:34 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see with any questions

Note You need to log in before you can comment on or make changes to this bug.