From: Theodore Tso Subject: Re: [PATCH] ext4: fix null pointer deref on mount Date: Mon, 5 Jan 2009 12:02:59 -0500 Message-ID: <20090105170259.GB8939@mit.edu> References: <4961603B.5020505@ph.tum.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Ext4 Developers List To: Thiemo Nagel Return-path: Received: from thunk.org ([69.25.196.29]:58254 "EHLO thunker.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751373AbZAERDD (ORCPT ); Mon, 5 Jan 2009 12:03:03 -0500 Content-Disposition: inline In-Reply-To: <4961603B.5020505@ph.tum.de> Sender: linux-ext4-owner@vger.kernel.org List-ID: On Mon, Jan 05, 2009 at 02:19:55AM +0100, Thiemo Nagel wrote: > I came across a null pointer dereference when mounting an intentionally > corrupted filesystem (cf. debug.dmesg). In my opinion, the problem lies > in ext4_fill_super(), where truncation may occur on setting the integer > db_count, which results in too little memory being allocated for > sbi->s_group_desc. The attached patch (against 2.6.28) fixes this by > changing the type of db_count to unsigned long. I also took the > opportunity to make the check against sign extension in calculation of > db_count more strict, so that it now excludes cases in which db_count > comes out as zero. Usigned unsigned long is almost always wrong, because it's not a fixed size; it's 32 bits on x86_32, but 64 bits on x86_64. In this particular case, db_count is always going to well under 32-bits for any legitimate filesystem. If it isn't we need to have better checks; it sounds like the checks we need are ones that do a better job checking s_blocks_per_group; am I right in assuming that s_blocks_per_group was something ridiculous and that is what caused the overflow? - Ted