Date: Wed, 26 Jul 2000 20:20:02 -0700 (PDT) From: Bruce Evans <bde@zeta.org.au> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/19407: Panic running linux binary on ext2fs Message-ID: <200007270320.UAA23326@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/19407; it has been noted by GNATS. From: Bruce Evans <bde@zeta.org.au> To: "Mark W. Krentel" <krentel@dreamscape.com> Cc: freebsd-gnats-submit@FreeBSD.ORG Subject: Re: kern/19407: Panic running linux binary on ext2fs Date: Thu, 27 Jul 2000 13:09:57 +1000 (EST) On Tue, 25 Jul 2000, Mark W. Krentel wrote: > > I found some of the problems using these hints. There were 2 serious bugs > > in ext2_readdir(): writing far beyond the end of the cookie buffer, and > > reading a little beyond the end of the directory buffer. > > Thanks for looking at the PR! I tried the patch, but unfortunately > it didn't make any difference. > > Are you able to reproduce the bug? I can produce it with just the Only the panic. > simple readdir program (see below). Readdir prematurely returns NULL > on both ext2fs and cdrom partitions and thus lists too few files. > That is, I can produce the bug without even using an ext2fs partition. I didn't try the program, but linux-ls -R works right on a linux partition and on a cdrom here. > > Overrunning the directory buffer can cause panics and wrong results from > > readdir(3) even for native binaries, but this problem doesn't usually occur > > for native binaries because they use an adequate buffer size (4K). Linux > > binaries trigger the bug by using a too-small buffer size (512 bytes). > > What buffers? Are they something a user program has control over, or > are they buried within library routines? Mostly user buffers in readdir(3), but the Linuxulator and nfs use too-small buffers or a too-small rounding up in some cases. > I tried bypassing readdir by using open and read on the directory. I > wrote a simple hex dump program and compiled it in RH 6.1. But Linux > wouldn't run it; read on a directory returned EISDIR (Is a directory). > Ironically, the Linuxulator did run the program, and read returned the > entire directory. So, I guess that narrows the problem to something > in the readdir library between the levels of read and readdir. readdir(3) doesn't use read(2) under either FreeBSD or Linux. It can't, because not all file systems have read(2)'able directories (under Linux, no file systems have read(2)'able directories). Under FreeBSD, readdir(3) is a simple wrapper around getdirentries(2), and the bug is probably in the latter. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007270320.UAA23326>