Date: Mon, 24 Jul 2000 23:40:06 -0700 (PDT) From: "Mark W. Krentel" <krentel@dreamscape.com> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/19407: Panic running linux binary on ext2fs Message-ID: <200007250640.XAA83623@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/19407; it has been noted by GNATS.
From: "Mark W. Krentel" <krentel@dreamscape.com>
To: bde@zeta.org.au
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: kern/19407: Panic running linux binary on ext2fs
Date: Tue, 25 Jul 2000 02:32:04 -0400 (EDT)
> I found some of the problems using these hints. There were 2 serious bugs
> in ext2_readdir(): writing far beyond the end of the cookie buffer, and
> reading a little beyond the end of the directory buffer.
Thanks for looking at the PR! I tried the patch, but unfortunately
it didn't make any difference.
Are you able to reproduce the bug? I can produce it with just the
simple readdir program (see below). Readdir prematurely returns NULL
on both ext2fs and cdrom partitions and thus lists too few files.
That is, I can produce the bug without even using an ext2fs partition.
> Overrunning the directory buffer can cause panics and wrong results from
> readdir(3) even for native binaries, but this problem doesn't usually occur
> for native binaries because they use an adequate buffer size (4K). Linux
> binaries trigger the bug by using a too-small buffer size (512 bytes).
What buffers? Are they something a user program has control over, or
are they buried within library routines?
I tried bypassing readdir by using open and read on the directory. I
wrote a simple hex dump program and compiled it in RH 6.1. But Linux
wouldn't run it; read on a directory returned EISDIR (Is a directory).
Ironically, the Linuxulator did run the program, and read returned the
entire directory. So, I guess that narrows the problem to something
in the readdir library between the levels of read and readdir.
When 4.1 is released, I plan to cvsup to 4.1-R and redo these tests
more thoroughly. Maybe your patch is enough to prevent the panic, and
maybe the readdir problem is separate bug. I'll let you know.
--Mark
----------
/*
* List directory contents with opendir and readdir.
* Basically the same as "ls -1af".
*/
#include <sys/types.h>
#include <dirent.h>
#include <stdio.h>
void my_err(char *mesg)
{
printf("Error: %s\n", mesg);
exit(1);
}
int main(int argc, char **argv)
{
DIR *dp;
struct dirent *de;
int n;
if ( argc < 2 ) my_err("missing directory");
if ( (dp = opendir(argv[1])) == NULL )
my_err("unable to open directory");
n = 0;
while ( (de = readdir(dp)) != NULL )
{
printf("%s\n", de->d_name);
n++;
}
printf("Total: %d files\n", n);
return 0;
}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007250640.XAA83623>