I mount an ext2 fs , then remount it with xip option set.
I get message below when do write operation in the fs.
--------
kernel BUG at fs/ext2/xip.c:21!
invalid opcode: 0000 [#1]
SMP
last sysfs file: /class/net/eth0/carrier
Modules linked in: ext2 autofs4 hidp rfcomm l2cap bluetooth sunrpc ipv6 dm_mirro
r dm_multipath video sbs i2c_ec button dock battery ac lp floppy snd_ens1371 gam
eport snd_rawmidi snd_ac97_codec pcnet32 ac97_bus snd_seq_dummy snd_seq_oss snd_
seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_time
r snd soundcore snd_page_alloc mii serio_raw parport_pc parport pcspkr BusLogic
i2c_piix4 i2c_core sg ext3 jbd mbcache squashfs dm_snapshot dm_mod loop sd_mod e
hci_hcd uhci_hcd ata_piix ata_generic libata sr_mod scsi_mod cdrom
CPU: 0
EIP: 0060:[<d8cba143>] Not tainted VLI
EFLAGS: 00010246 (2.6.21-1.3194.fc7 #1)
EIP is at ext2_clear_xip_target+0x1e/0x47 [ext2]
eax: d887da00 ebx: d310e3c0 ecx: d0648bd4 edx: 00001e01
esi: d0648b4c edi: 00000000 ebp: cc863e44 esp: cc863df8
ds: 007b es: 007b fs: 00d8 gs: 0033 ss: 0068
Process dd (pid: 3231, ti=cc863000 task=cd61b710 task.ti=cc863000)
Stack: 000000d8 ffffff10 00000200 00001e01 d8cb5b5b cc863e44 cc863e8c 00000c9f
cd61b710 00000001 d0648bd4 00000000 cc863e50 00000001 00000001 00000400
cc863e74 cc863e50 c043c220 d0648b4c 00001e01 00000000 00000f8c 00000e34
Call Trace:
[<d8cb5b5b>] ext2_get_block+0x3f4/0x52b [ext2]
[<c043c220>] clockevents_program_event+0xb2/0xb9
[<c04bed36>] avc_has_perm+0x4e/0x58
[<d8cba05d>] ext2_get_xip_page+0x65/0xde [ext2]
[<c0473972>] xip_file_write+0x232/0x38d
[<c0473740>] xip_file_write+0x0/0x38d
[<c0475d33>] vfs_write+0xa8/0x154
[<c0476342>] sys_write+0x41/0x67
[<c0404f70>] syscall_call+0x7/0xb
=======================
Code: 89 0c 24 e8 88 cd ff ff 83 c4 0c 5b c3 57 53 83 ec 08 8b 80 9c 00 00 00 8b
98 98 00 00 00 8b 43 5c 8b 40 34 8b 78 14 85 ff 75 04 <0f> 0b eb fe 8d 44 24 04
31 c9 c1 e2 03 89 04 24 89 d8 ff d7 85
EIP: [<d8cba143>] ext2_clear_xip_target+0x1e/0x47 [ext2] SS:ESP 0068:cc863df8
Yan Zheng wrote:
> I mount an ext2 fs , then remount it with xip option set.
> I get message below when do write operation in the fs.
Ouch. Like on mount, we should refuse -o xip on remount. The patch
below fixes this issue.
Signed-off-by: Carsten Otte <[email protected]>
---
Index: linux-2.6.22-rc4-mm/fs/ext2/super.c
===================================================================
--- linux-2.6.22-rc4-mm.orig/fs/ext2/super.c
+++ linux-2.6.22-rc4-mm/fs/ext2/super.c
@@ -1071,6 +1071,9 @@ static int ext2_remount (struct super_bl
sb->s_flags = (sb->s_flags & ~MS_POSIXACL) |
((sbi->s_mount_opt & EXT2_MOUNT_POSIX_ACL) ? MS_POSIXACL : 0);
+ ext2_xip_verify_sb(sb); /* see if bdev supports xip, unset
+ EXT2_MOUNT_XIP if not */
+
es = sbi->s_es;
if (((sbi->s_mount_opt & EXT2_MOUNT_XIP) !=
(old_mount_opt & EXT2_MOUNT_XIP)) &&
This is an updated version of my bugfix patch. Yan Zheng pointed out,
that ext2_remount lacks checking if -o xip should be enabled or not.
This patch checks for presence of direct_access on the backing block
device and if the blocksize meets the requirements.
Andrew, please consider adding this patch to -mm.
Signed-off-by: Carsten Otte <[email protected]>
---
Index: linux-2.6.22-rc4-mm/fs/ext2/super.c
===================================================================
--- linux-2.6.22-rc4-mm.orig/fs/ext2/super.c
+++ linux-2.6.22-rc4-mm/fs/ext2/super.c
@@ -1071,6 +1071,14 @@ static int ext2_remount (struct super_bl
sb->s_flags = (sb->s_flags & ~MS_POSIXACL) |
((sbi->s_mount_opt & EXT2_MOUNT_POSIX_ACL) ? MS_POSIXACL : 0);
+ ext2_xip_verify_sb(sb); /* see if bdev supports xip, unset
+ EXT2_MOUNT_XIP if not */
+
+ if ((ext2_use_xip(sb)) && (sb->s_blocksize != PAGE_SIZE)) {
+ printk("XIP: Unsupported blocksize\n");
+ goto restore_opts;
+ }
+
es = sbi->s_es;
if (((sbi->s_mount_opt & EXT2_MOUNT_XIP) !=
(old_mount_opt & EXT2_MOUNT_XIP)) &&
On Thursday 21 June 2007, Carsten Otte wrote:
>
> This is an updated version of my bugfix patch. Yan Zheng pointed out,
> that ext2_remount lacks checking if -o xip should be enabled or not.
> This patch checks for presence of direct_access on the backing block
> device and if the blocksize meets the requirements.
> Andrew, please consider adding this patch to -mm.
>
> Signed-off-by: Carsten Otte <[email protected]>
It looks to me like a local denial of service attack in case of
user-mountable ext2 file systems in /etc/fstab.
Shouldn't that make it go into 2.6.22?
Arnd <><
Hi,
On 6/22/07, Arnd Bergmann <[email protected]> wrote:
> On Thursday 21 June 2007, Carsten Otte wrote:
> >
> > This is an updated version of my bugfix patch. Yan Zheng pointed out,
> > that ext2_remount lacks checking if -o xip should be enabled or not.
> > This patch checks for presence of direct_access on the backing block
> > device and if the blocksize meets the requirements.
> > Andrew, please consider adding this patch to -mm.
> >
> > Signed-off-by: Carsten Otte <[email protected]>
>
> It looks to me like a local denial of service attack in case of
> user-mountable ext2 file systems in /etc/fstab.
>
> Shouldn't that make it go into 2.6.22?
I agree. I would go on to suggest that all trivially-triggered oopsen /
panics from userspace (even if they require privileges, such as the
cat /dev/snapshot == oops issue posted last week) in fact ought to
be CVE's, and the corresponding fixes for such issues be considered
as candidates for -stable, if applicable to the current stable kernel.
Satyam