Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 104638 Details for
Bug 158782
Linux 2.6.x ISO9660 __find_get_block_slow() denial of service (CVE-2006-5757)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
1905_fs-buffers-infinite-loop.patch (text/plain), 1.92 KB, created by
Daniel Drake (RETIRED)
on 2006-12-23 08:23:33 UTC
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Daniel Drake (RETIRED)
Created:
2006-12-23 08:23:33 UTC
Size:
1.92 KB
patch
obsolete
>From: Andrew Morton <akpm@osdl.org> >Date: Wed, 11 Oct 2006 08:21:46 +0000 (-0700) >Subject: [PATCH] grow_buffers() infinite loop fix >X-Git-Tag: v2.6.19-rc2 >X-Git-Url: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e5657933863f43cc6bb76a54d659303dafaa9e58 > >[PATCH] grow_buffers() infinite loop fix > >If grow_buffers() is for some reason passed a block number which wants to lie >outside the maximum-addressable pagecache range (PAGE_SIZE * 4G bytes) then it >will accidentally truncate `index' and will then instnatiate a page at the >wrong pagecache offset. This causes __getblk_slow() to go into an infinite >loop. > >This can happen with corrupted disks, or with software errors elsewhere. > >Detect that, and handle it. > >Signed-off-by: Andrew Morton <akpm@osdl.org> >Signed-off-by: Linus Torvalds <torvalds@osdl.org> >--- > >--- a/fs/buffer.c >+++ b/fs/buffer.c >@@ -1042,8 +1042,21 @@ grow_buffers(struct block_device *bdev, > } while ((size << sizebits) < PAGE_SIZE); > > index = block >> sizebits; >- block = index << sizebits; > >+ /* >+ * Check for a block which wants to lie outside our maximum possible >+ * pagecache index. (this comparison is done using sector_t types). >+ */ >+ if (unlikely(index != block >> sizebits)) { >+ char b[BDEVNAME_SIZE]; >+ >+ printk(KERN_ERR "%s: requested out-of-range block %llu for " >+ "device %s\n", >+ __FUNCTION__, (unsigned long long)block, >+ bdevname(bdev, b)); >+ return -EIO; >+ } >+ block = index << sizebits; > /* Create a page with the proper size buffers.. */ > page = grow_dev_page(bdev, block, index, size); > if (!page) >@@ -1070,12 +1083,16 @@ __getblk_slow(struct block_device *bdev, > > for (;;) { > struct buffer_head * bh; >+ int ret; > > bh = __find_get_block(bdev, block, size); > if (bh) > return bh; > >- if (!grow_buffers(bdev, block, size)) >+ ret = grow_buffers(bdev, block, size); >+ if (ret < 0) >+ return NULL; >+ if (ret == 0) > free_more_memory(); > } > }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 158782
: 104638