Bug#78364: marked as done (hurd: lookup for names > diskfs_name_max kills filesystem)

Debian Bug Tracking System Thu, 30 Nov 2000 11:10:23 -0800
Your message dated Thu, 30 Nov 2000 20:14:56 +0100
with message-id <[EMAIL PROTECTED]>
and subject line hurd: lookup for names > diskfs_name_max kills filesystem
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Darren Benham
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 29 Nov 2000 22:16:59 +0000
>From [EMAIL PROTECTED] Wed Nov 29 16:16:59 2000
Return-path: <[EMAIL PROTECTED]>
Received: from (c3po.terralink.de) [194.97.37.23] (qmailr)
        by master.debian.org with smtp (Exim 3.12 1 (Debian))
        id 141FX9-0007LE-00; Wed, 29 Nov 2000 16:16:59 -0600
Received: (qmail 1948 invoked from network); 29 Nov 2000 22:16:53 -0000
Received: from 213?21?42?69.surf-callino.de (HELO localhost) ([EMAIL PROTECTED])
  by c3po.t-link.de with SMTP; 29 Nov 2000 22:16:53 -0000
Received: from marcus by localhost with local (Exim 3.16 #1 (Debian))
        id 141FY4-00008J-00; Wed, 29 Nov 2000 23:17:56 +0100
From: [EMAIL PROTECTED]
Subject: hurd: lookup for names > diskfs_name_max kills filesystem
To: [EMAIL PROTECTED]
X-Mailer: bug 3.2.9
Message-Id: <E141FY4-00008J-00@localhost>
Date: Wed, 29 Nov 2000 23:17:56 +0100
Organization: Marcus Brinkmann's Home
Delivered-To: [EMAIL PROTECTED]

Package: hurd
Version: N/A
Severity: normal

Hi,

touch [ALT+256] x

crashes the filesystem. Further debugging showed that the crash happens
immediately after diskfs_S_dir_lookup is called, in the destructor.
The destuctor for dir_lookup is in libdiskfs/priv.h, it is:

extern inline void
end_using_protid_port (struct protid *cred)
{
  if (cred)
    ports_port_deref (cred);
}

The crash happens in ports_port_deref, when trying to derefence pi, which is
just cred but interpreted as a pointer to a struct port_info.

Now, that's weird. It crashes with E_BAD_ACCESS in ports_port_deref, because
it can't access the memory at cred. I verified that in _Xdir_lookup

        start_dir = begin_using_protid_port(In0P->Head.msgh_request_port);

        OutP->RetCode = diskfs_S_dir_lookup(start_dir, In0P->file_name, In0P->flags, 
In0P->mode, &OutP->do_retry, OutP->retry_name, &OutP->result, &resultPoly);
        end_using_protid_port(start_dir);

the value of start_dir isn't mangled (wouldn't make sense anyway).
It is the same for diskfs_S_dir_lookup as for end_using_protid_port.
Maybe the memory at this location is accidently freed? How could this
happen? I single stepped through diskfs_S_dir_lookup and diskfs_lookup,
without seeing anything special.

Any hints appreciated,
Marcus


-- System Information
Debian Release: 2.2
Kernel Version: Linux ulysses 2.4.0-test9 #1 Mon Okt 30 20:36:05 CET 2000 i686 unknown


---------------------------------------
Received: (at 78364-done) by bugs.debian.org; 30 Nov 2000 19:12:08 +0000
>From [EMAIL PROTECTED] Thu Nov 30 13:12:08 2000
Return-path: <[EMAIL PROTECTED]>
Received: from (c3po.terralink.de) [194.97.37.23] (qmailr)
        by master.debian.org with smtp (Exim 3.12 1 (Debian))
        id 141Z7n-0005bK-00; Thu, 30 Nov 2000 13:12:07 -0600
Received: (qmail 12592 invoked from network); 30 Nov 2000 19:12:01 -0000
Received: from 213?21?44?245.surf-callino.de (HELO localhost) ([EMAIL PROTECTED])
  by c3po.t-link.de with SMTP; 30 Nov 2000 19:12:01 -0000
Received: from marcus by localhost with local (Exim 3.16 #1 (Debian))
        for [EMAIL PROTECTED]
        id 141ZAW-0000Ar-00; Thu, 30 Nov 2000 20:14:56 +0100
Date: Thu, 30 Nov 2000 20:14:56 +0100
From: Marcus Brinkmann <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: hurd: lookup for names > diskfs_name_max kills filesystem
Message-ID: <[EMAIL PROTECTED]>
References: <E141FY4-00008J-00@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.1.4i
In-Reply-To: <E141FY4-00008J-00@localhost>; from [EMAIL PROTECTED] 
on Wed, Nov 29, 2000 at 11:17:56PM +0100
Organization: Marcus Brinkmann's Home
Delivered-To: [EMAIL PROTECTED]

On Wed, Nov 29, 2000 at 11:17:56PM +0100, [EMAIL PROTECTED] wrote:
> touch [ALT+256] x
> 
> crashes the filesystem.

The reason is that struct dirstat *ds is not cleared and contains bogus
information. This frees some random memory in diskfs_drop_dir_stat.

The following chnage fixes that:

ext2fs, ufs:
2000-11-30  Marcus Brinkmann  <[EMAIL PROTECTED]>

        * dir.c (diskfs_lookup_hard): If name is too long, clear
        DS before returning ENAMETOOLONG.

Marcus

-- 
`Rhubarb is no Egyptian god.' Debian http://www.debian.org [EMAIL PROTECTED]
Marcus Brinkmann              GNU    http://www.gnu.org    [EMAIL PROTECTED]
[EMAIL PROTECTED]
http://www.marcus-brinkmann.de

_______________________________________________
Bug-hurd mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/bug-hurd
Bug#78364: marked as done (hurd: lookup for names > diskfs_name_max kills filesystem)

Reply via email to
