On Tue, Sep 06, 2016 at 04:36:41AM +0200, Stefan Brüns wrote: > The following command triggers a segfault in search_dir: > ./sandbox/u-boot -c 'host bind 0 ./sandbox/test/fs/3GB.ext4.img ; > ext4write host 0 0 /./foo 0x10' > > The following command triggers a segfault in check_filename: > ./sandbox/u-boot -c 'host bind 0 ./sandbox/test/fs/3GB.ext4.img ; > ext4write host 0 0 /. 0x10' > > "." is the first entry in the directory, thus previous_dir is NULL. The > whole previous_dir block in search_dir seems to be a bad copy from > check_filename(...). As the changed data is not written to disk, the > statement is mostly harmless, save the possible NULL-ptr reference. > > Typically a file is unlinked by extending the direntlen of the previous > entry. If the entry is the first entry in the directory block, it is > invalidated by setting inode=0. > > The inode==0 case is hard to trigger without crafted filesystems. It only > hits if the first entry in a directory block is deleted and later a lookup > for the entry (by name) is done. > > Signed-off-by: Stefan Brüns <stefan.bru...@rwth-aachen.de> > Reviewed-by: Lukasz Majewski <l.majew...@samsung.com>
Applied to u-boot/master, thanks! -- Tom
signature.asc
Description: Digital signature
_______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
