From owner-freebsd-bugs  Mon Oct 14 13:20: 6 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7269437B401
	for <freebsd-bugs@hub.freebsd.org>; Mon, 14 Oct 2002 13:20:04 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 97F4B43EB1
	for <freebsd-bugs@hub.freebsd.org>; Mon, 14 Oct 2002 13:20:03 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g9EKK3Co048174
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 14 Oct 2002 13:20:03 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g9EKK39m048173;
	Mon, 14 Oct 2002 13:20:03 -0700 (PDT)
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4D5B337B401
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 14 Oct 2002 13:16:45 -0700 (PDT)
Received: from walton.kettenis.dyndns.org (a169250.upc-a.chello.nl [62.163.169.250])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BDE9E43E9C
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 14 Oct 2002 13:16:43 -0700 (PDT)
	(envelope-from kettenis@elgar.kettenis.dyndns.org)
Received: from elgar.kettenis.dyndns.org (elgar.kettenis.dyndns.org [192.168.0.2])
	by walton.kettenis.dyndns.org (8.12.5/8.12.5) with ESMTP id g9EKGfA1000376
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 14 Oct 2002 22:16:41 +0200 (CEST)
	(envelope-from kettenis@elgar.kettenis.dyndns.org)
Received: from elgar.kettenis.dyndns.org (localhost [127.0.0.1])
	by elgar.kettenis.dyndns.org (8.12.6/8.12.6) with ESMTP id g9EKGfW6003888
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 14 Oct 2002 22:16:41 +0200 (CEST)
	(envelope-from kettenis@elgar.kettenis.dyndns.org)
Received: (from kettenis@localhost)
	by elgar.kettenis.dyndns.org (8.12.6/8.12.6/Submit) id g9EKGelQ003887;
	Mon, 14 Oct 2002 22:16:40 +0200 (CEST)
Message-Id: <200210142016.g9EKGelQ003887@elgar.kettenis.dyndns.org>
Date: Mon, 14 Oct 2002 22:16:40 +0200 (CEST)
From: Mark Kettenis <kettenis@chello.nl>
Reply-To: Mark Kettenis <kettenis@chello.nl>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: kern/44060: [PATCH] for panic in ext2fs
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         44060
>Category:       kern
>Synopsis:       [PATCH] for panic in ext2fs
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 14 13:20:02 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Mark Kettenis
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD elgar.kettenis.dyndns.org 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Mon Oct 14 13:24:27 CEST 2002 kettenis@elgar.kettenis.dyndns.org:/usr/obj/usr/src/sys/GENERIC i386

>Description:
There's a bug in ext2fs that leads to a kernel panic in -CURRENT
(unless option NO_GEOM is present in your config).

>How-To-Repeat:
In my case this happens when I try to run the GDB testsuite with the
GDB sources mounted from an ext2fs filesystem.

>Fix:

The attached patch fixes the bug.  In the fragment of code displayed
in the patch, `ep' is a pointer into `bp->b_data' (where `bp' is a
`struct buf').  Since the code leading up to this point brelse()'s the
buffer, we're potentially accessing memory that's no longer there.  In
a GEOMised kernel this seems to be happening, and the resulting page
fault leads to a kernel panic.  Storing the value of ep->name_len in a
local variable should solve the problem.  It turns out there is
already such a variable called `namelen', so this patch simply uses
that variable.  Seems to solve the problem for me.  This patch is
against version 1.36 of ext2_lookup.c

   http://members.chello.nl/~m.m.kettenis/FreeBSD/5-current/ext2fs.patch.

Mark

--- /usr/src/sys/gnu/ext2fs/ext2_lookup.c.orig	Thu Aug 15 22:55:01 2002
+++ /usr/src/sys/gnu/ext2fs/ext2_lookup.c	Mon Oct 14 21:19:30 2002
@@ -563,10 +563,9 @@ found:
 	 * Check that directory length properly reflects presence
 	 * of this entry.
 	 */
-	if (entryoffsetinblock + EXT2_DIR_REC_LEN(ep->name_len)
-		> dp->i_size) {
+	if (entryoffsetinblock + EXT2_DIR_REC_LEN(namlen) > dp->i_size) {
 		ext2_dirbad(dp, dp->i_offset, "i_size too small");
-		dp->i_size = entryoffsetinblock+EXT2_DIR_REC_LEN(ep->name_len);
+		dp->i_size = entryoffsetinblock + EXT2_DIR_REC_LEN(namlen);
 		dp->i_flag |= IN_CHANGE | IN_UPDATE;
 	}
 
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message