On Mon, Jan 05, 2009 at 02:19:55AM +0100, Thiemo Nagel wrote: > I came across a null pointer dereference when mounting an intentionally > corrupted filesystem (cf. debug.dmesg). In my opinion, the problem lies > in ext4_fill_super(), where truncation may occur on setting the integer > db_count, which results in too little memory being allocated for > sbi->s_group_desc. The attached patch (against 2.6.28) fixes this by > changing the type of db_count to unsigned long. I also took the > opportunity to make the check against sign extension in calculation of > db_count more strict, so that it now excludes cases in which db_count > comes out as zero. Usigned unsigned long is almost always wrong, because it's not a fixed size; it's 32 bits on x86_32, but 64 bits on x86_64. In this particular case, db_count is always going to well under 32-bits for any legitimate filesystem. If it isn't we need to have better checks; it sounds like the checks we need are ones that do a better job checking s_blocks_per_group; am I right in assuming that s_blocks_per_group was something ridiculous and that is what caused the overflow? - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
