Re: [PATCH V2] bcache: fix stack corruption by PRECEDING_KEY()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2019/6/9 11:24 下午, Coly Li wrote:
> Recently people report bcache code compiled with gcc9 is broken, one of
> the buggy behavior I observe is that two adjacent 4KB I/Os should merge
> into one but they don't. Finally it turns out to be a stack corruption
> caused by macro PRECEDING_KEY().
> 
> See how PRECEDING_KEY() is defined in bset.h,
> 437 #define PRECEDING_KEY(_k)                                       \
> 438 ({                                                              \
> 439         struct bkey *_ret = NULL;                               \
> 440                                                                 \
> 441         if (KEY_INODE(_k) || KEY_OFFSET(_k)) {                  \
> 442                 _ret = &KEY(KEY_INODE(_k), KEY_OFFSET(_k), 0);  \
> 443                                                                 \
> 444                 if (!_ret->low)                                 \
> 445                         _ret->high--;                           \
> 446                 _ret->low--;                                    \
> 447         }                                                       \
> 448                                                                 \
> 449         _ret;                                                   \
> 450 })
> 
> At line 442, _ret points to address of a on-stack variable combined by
> KEY(), the life range of this on-stack variable is in line 442-446,
> once _ret is returned to bch_btree_insert_key(), the returned address
> points to an invalid stack address and this address is overwritten in
> the following called bch_btree_iter_init(). Then argument 'search' of
> bch_btree_iter_init() points to some address inside stackframe of
> bch_btree_iter_init(), exact address depends on how the compiler
> allocates stack space. Now the stack is corrupted.
> 
> Signed-off-by: Coly Li <colyli@xxxxxxx>
> Reviewed-by: Rolf Fokkens <rolf@xxxxxxxxxxxxxx>
> Reviewed-by: Pierre JUHEN <pierre.juhen@xxxxxxxxx>

Hi Rolf and Pierre,

Oops, I am a little bit too hurry, just realize you don't offer
Reviewed-by: yet.

Could you like to offer a Reviewed-by: to this patch, then I may submit
to Jens in this run ASAP.

Many thanks of your code review and help !

Coly Li


> Tested-by: Shenghui Wang <shhuiw@xxxxxxxxxxx>
> Cc: Kent Overstreet <kent.overstreet@xxxxxxxxx>
> Cc: Nix <nix@xxxxxxxxxxxxx>
> ---
> Changlog:
> V2: Fix a pointer assignment problem in preceding_key(), which is
>     pointed by Rolf Fokkens and Pierre JUHEN.
> V1: Initial RFC patch for review and comment.
> 
>  drivers/md/bcache/bset.c | 16 +++++++++++++---
>  drivers/md/bcache/bset.h | 34 ++++++++++++++++++++--------------
>  2 files changed, 33 insertions(+), 17 deletions(-)
[snipped]



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux ARM Kernel]     [Linux Filesystem Development]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux