lepton wrote:
Hi,
When reading corrupted reiserfs directory data, d_reclen
could be a negative number, then memcpy will overflow
kernel stack. This can lead to kernel panic.
The following patch adds a sanity check. (against 2.6.20.4)
Is it possible to get a large positive number here due to other fs
corruption and bypass your sanity check? If I read the code correctly, this
would still oops in the "if" statement just below the part you patched.
Signed-off-by: Lepton Wu <[EMAIL PROTECTED]>
diff -pru linux-2.6/fs/reiserfs/dir.c linux-2.6-lepton/fs/reiserfs/dir.c
--- linux-2.6/fs/reiserfs/dir.c 2007-02-20 14:34:32.000000000 +0800
+++ linux-2.6-lepton/fs/reiserfs/dir.c 2007-04-05 14:35:58.000000000 +0800
@@ -121,6 +121,11 @@ static int reiserfs_readdir(struct file
/* it is hidden entry */
continue;
d_reclen = entry_length(bh, ih, entry_num);
+ if (d_reclen < 0) {
+ pathrelse(&path_to_entry);
+ ret = -EIO;
+ goto out;
+ }
d_name = B_I_DEH_ENTRY_FILE_NAME(bh, ih, deh);
if (!d_name[d_reclen - 1])
d_reclen = strlen(d_name);
O
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
