From owner-freebsd-fs@FreeBSD.ORG Thu Jun 5 10:48:40 2008 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B9FEA1065677 for ; Thu, 5 Jun 2008 10:48:40 +0000 (UTC) (envelope-from jh@saunalahti.fi) Received: from emh01.mail.saunalahti.fi (emh01.mail.saunalahti.fi [62.142.5.107]) by mx1.freebsd.org (Postfix) with ESMTP id 6E07C8FC13 for ; Thu, 5 Jun 2008 10:48:40 +0000 (UTC) (envelope-from jh@saunalahti.fi) Received: from saunalahti-vams (vs3-10.mail.saunalahti.fi [62.142.5.94]) by emh01-2.mail.saunalahti.fi (Postfix) with SMTP id 9F0931ACF0 for ; Thu, 5 Jun 2008 13:29:01 +0300 (EEST) Received: from emh06.mail.saunalahti.fi ([62.142.5.116]) by vs3-10.mail.saunalahti.fi ([62.142.5.94]) with SMTP (gateway) id A04E0E9BDA3; Thu, 05 Jun 2008 13:29:01 +0300 Received: from a91-153-120-204.elisa-laajakaista.fi (a91-153-120-204.elisa-laajakaista.fi [91.153.120.204]) by emh06.mail.saunalahti.fi (Postfix) with SMTP id 8DD9EE51A8 for ; Thu, 5 Jun 2008 13:29:00 +0300 (EEST) Date: Thu, 5 Jun 2008 13:29:00 +0300 From: Jaakko Heinonen To: freebsd-fs@freebsd.org Message-ID: <20080605102900.GA1971@a91-153-120-204.elisa-laajakaista.fi> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) X-Antivirus: VAMS Subject: =?utf-8?b?W3BhdGNoXcKgYnVn?= in cd9660 readdir code X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jun 2008 10:48:40 -0000 Hi, There's a bug in cd9660_readdir() (src/sys/fs/cd9660/cd9660_vnops.c) which may change the directory position (offset) to an invalid value. The problem is that if all directory entries has been read and idp->curroff >= endsearch the code doesn't enter to while (idp->curroff < endsearch) { loop which initializes idp->uio_off. Later in code uio->uio_offset is changed to idp->uio_off (which may be uninitialized). The PR 122925 (http://www.freebsd.org/cgi/query-pr.cgi?pr=122925) has a real life example of a problem caused by this bug. There's also a stripped down test program attached to the PR. Problems include readdir(3) restarting from random position and geom errors caused by read attempts from bogus offsets. Does following patch look good? Few people have tested the patch and it has fixed problems for them. If the patch looks good could someone consider committing it? Index: cd9660_vnops.c =================================================================== RCS file: /home/ncvs/src/sys/fs/cd9660/cd9660_vnops.c,v retrieving revision 1.113 diff -p -u -r1.113 cd9660_vnops.c --- cd9660_vnops.c 15 Feb 2007 22:08:34 -0000 1.113 +++ cd9660_vnops.c 20 May 2008 06:45:20 -0000 @@ -495,6 +495,7 @@ cd9660_readdir(ap) } idp->eofflag = 1; idp->curroff = uio->uio_offset; + idp->uio_off = uio->uio_offset; if ((entryoffsetinblock = idp->curroff & bmask) && (error = cd9660_blkatoff(vdp, (off_t)idp->curroff, NULL, &bp))) { -- Jaakko