On 2012-01-18 12:49:17, Linus Torvalds wrote: > Hmm. > > There are *two* cases where we do that "total_remaining_bytes" > calculation. The same bug seems to exist both in ecryptfs_read() and > ecryptfs_write(). ecryptfs_read() is ifdef'ed out, and has been for years, so I'll just go ahead and kill that function for good. > > Possibly only the ecryptfs_write() one leads to an endless loop, but > the read one looks suspicious too. > > Also, what protects things against this just being one nasty DoS > attack - even if the code is fixed to not be an endless loop, it looks > like a trivial "truncate()" can be used to generate a *practically* > infinite write stream. At the very least, this should be KILLABLE. Or > did I mis-read the code? I think you're right. I'll start off with making it killable and then see if there is anything else we can do. Tyler > > Tyler, Dustin, others - comments? This looks nasty. > > Linus. > > 2012/1/17 dragonylffly <dragonylffly@xxxxxxx>: > > Hi, > > There is an infinite loop bug in eCryptfs, to make it present, > > just truncate to generate a huge file (>= 4G) on a 32-bit machine under > > the plain text foleder mounted with eCryptfs, a simple command > > 'truncate -s 4G dummy' is enough. Note: 4GB is smaller than 4G, > > therefore the following command 'truncate -s 4GB dummy' will not > > trigger this bug. The bug comes from a data overflow, the patch below fixes > > it. > > > > Cheers, > > Li Wang > > > > --- > > > > signed-off-by: Li Wang <liwang@xxxxxxxxxxx> > > Yunchuan Wen (wenyunchuan@xxxxxxxxxxxxxx) > > > > --- read_write.c.orig 2012-01-18 10:39:26.000000000 +0800 > > +++ read_write.c 2012-01-18 19:48:41.484196221 +0800 > > @@ -130,7 +130,7 @@ > > pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT); > > size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK); > > size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page); > > - size_t total_remaining_bytes = ((offset + size) - pos); > > + loff_t total_remaining_bytes = ((offset + size) - pos); > > > > if (num_bytes > total_remaining_bytes) > > num_bytes = total_remaining_bytes; > > > > > > > -- > To unsubscribe from this list: send the line "unsubscribe ecryptfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html
Attachment:
signature.asc
Description: Digital signature
