Yes, you are right.
I need more work on my trival patch.
On Thu, Apr 05, 2007 at 01:34:42PM +0600, Alexander E. Patrakov wrote:
> lepton wrote:
> >Hi,
> > When reading corrupted reiserfs directory data, d_reclen
> > could be a negative number, then memcpy will overflow
> > kernel stack. This can lead to kernel panic.
> > The following patch adds a sanity check. (against 2.6.20.4)
>
> Is it possible to get a large positive number here due to other fs
> corruption and bypass your sanity check? If I read the code correctly, this
> would still oops in the "if" statement just below the part you patched.
>
> >Signed-off-by: Lepton Wu <[EMAIL PROTECTED]>
> >
> >diff -pru linux-2.6/fs/reiserfs/dir.c linux-2.6-lepton/fs/reiserfs/dir.c
> >--- linux-2.6/fs/reiserfs/dir.c 2007-02-20 14:34:32.000000000 +0800
> >+++ linux-2.6-lepton/fs/reiserfs/dir.c 2007-04-05
> >14:35:58.000000000 +0800
> >@@ -121,6 +121,11 @@ static int reiserfs_readdir(struct file
> > /* it is hidden entry */
> > continue;
> > d_reclen = entry_length(bh, ih, entry_num);
> >+ if (d_reclen < 0) {
> >+ pathrelse(&path_to_entry);
> >+ ret = -EIO;
> >+ goto out;
> >+ }
> > d_name = B_I_DEH_ENTRY_FILE_NAME(bh, ih,
> > deh);
> > if (!d_name[d_reclen - 1])
> > d_reclen = strlen(d_name);
> >O
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
