FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 03-05-2012, 01:07 PM
Colin King
 
Default eCryptfs: Infinite loop due to overflow in ecryptfs_write()

From: Colin Ian King <colin.king@canonical.com>

BugLink: http://bugs.launchpad.net/bugs/947143

SRU justification:

Impact:

ecryptfs_write() can enter an infinite loop when truncating a file to a
size larger than 4G. This only happens on architectures where size_t is
represented by 32 bits.

This was caused by a size_t overflow due to it incorrectly being used to
store the result of a calculation which uses potentially large values of
type loff_t.

Fix:

Upstream commit 684a3ff7e69acc7c678d1a1394fe9e757993fd34

Testcase:

Truncating a non-existent file to 5GB on a 32 bit system
will cause the truncate to get stuck in an infinite loop
once the lower file is greater than 1GB. Without the fix,
the following will get stuck:

truncate bigfile -s 5G

With, the fix, the file is truncated to 5GB as expected.

Li Wang (1):
eCryptfs: Infinite loop due to overflow in ecryptfs_write()

fs/ecryptfs/read_write.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)

--
1.7.9


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 03-05-2012, 01:07 PM
Colin King
 
Default eCryptfs: Infinite loop due to overflow in ecryptfs_write()

From: Li Wang <liwang@nudt.edu.cn>

ecryptfs_write() can enter an infinite loop when truncating a file to a
size larger than 4G. This only happens on architectures where size_t is
represented by 32 bits.

This was caused by a size_t overflow due to it incorrectly being used to
store the result of a calculation which uses potentially large values of
type loff_t.

[tyhicks@canonical.com: rewrite subject and commit message]
Signed-off-by: Li Wang <liwang@nudt.edu.cn>
Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Colin ian King <colin.king@canonical.com>
(cherry picked from commit 684a3ff7e69acc7c678d1a1394fe9e757993fd34)
---
fs/ecryptfs/read_write.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c
index 3745f7c..ec3d936 100644
--- a/fs/ecryptfs/read_write.c
+++ b/fs/ecryptfs/read_write.c
@@ -130,13 +130,13 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset,
pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT);
size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK);
size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page);
- size_t total_remaining_bytes = ((offset + size) - pos);
+ loff_t total_remaining_bytes = ((offset + size) - pos);

if (num_bytes > total_remaining_bytes)
num_bytes = total_remaining_bytes;
if (pos < offset) {
/* remaining zeros to write, up to destination offset */
- size_t total_remaining_zeros = (offset - pos);
+ loff_t total_remaining_zeros = (offset - pos);

if (num_bytes > total_remaining_zeros)
num_bytes = total_remaining_zeros;
--
1.7.9


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 03-05-2012, 04:18 PM
Colin King
 
Default eCryptfs: Infinite loop due to overflow in ecryptfs_write()

From: Colin Ian King <colin.king@canonical.com>

BugLink: http://bugs.launchpad.net/bugs/947143

SRU justification:

Impact:

ecryptfs_write() can enter an infinite loop when truncating a file to a
size larger than 4G. This only happens on architectures where size_t is
represented by 32 bits.

This was caused by a size_t overflow due to it incorrectly being used to
store the result of a calculation which uses potentially large values of
type loff_t.

Fix:

Backported commit 684a3ff7e69acc7c678d1a1394fe9e757993fd34 (needed a tiny
bit of backporting attention because it didn't cleanly apply because of
commit 6d7368f9822016069edf2d1a488d71004d3c39cc)

Testcase:

Truncating a non-existent file to 5GB on a 32 bit system
will cause the truncate to get stuck in an infinite loop
once the lower file is greater than 1GB. Without the fix,
the following will get stuck:

truncate bigfile -s 5G

With, the fix, the file is truncated to 5GB as expected.

Colin Ian King (1):
eCryptfs: Infinite loop due to overflow in ecryptfs_write()

fs/ecryptfs/read_write.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)

--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 03-05-2012, 04:18 PM
Colin King
 
Default eCryptfs: Infinite loop due to overflow in ecryptfs_write()

From: Colin Ian King <colin.king@canonical.com>

BugLink: http://bugs.launchpad.net/bugs/947143

ecryptfs_write() can enter an infinite loop when truncating a file to a
size larger than 4G. This only happens on architectures where size_t is
represented by 32 bits.

This was caused by a size_t overflow due to it incorrectly being used to
store the result of a calculation which uses potentially large values of
type loff_t.

[tyhicks@canonical.com: rewrite subject and commit message]
Signed-off-by: Li Wang <liwang@nudt.edu.cn>
Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
(backported from commit 684a3ff7e69acc7c678d1a1394fe9e757993fd34)
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
fs/ecryptfs/read_write.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c
index 54eb14c..608c1c3 100644
--- a/fs/ecryptfs/read_write.c
+++ b/fs/ecryptfs/read_write.c
@@ -130,7 +130,7 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset,
pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT);
size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK);
size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page);
- size_t total_remaining_bytes = ((offset + size) - pos);
+ loff_t total_remaining_bytes = ((offset + size) - pos);

if (fatal_signal_pending(current)) {
rc = -EINTR;
@@ -141,7 +141,7 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset,
num_bytes = total_remaining_bytes;
if (pos < offset) {
/* remaining zeros to write, up to destination offset */
- size_t total_remaining_zeros = (offset - pos);
+ loff_t total_remaining_zeros = (offset - pos);

if (num_bytes > total_remaining_zeros)
num_bytes = total_remaining_zeros;
--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 01:57 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org