Hmm. There are *two* cases where we do that "total_remaining_bytes" calculation. The same bug seems to exist both in ecryptfs_read() and ecryptfs_write(). Possibly only the ecryptfs_write() one leads to an endless loop, but the read one looks suspicious too. Also, what protects things against this just being one nasty DoS attack - even if the code is fixed to not be an endless loop, it looks like a trivial "truncate()" can be used to generate a *practically* infinite write stream. At the very least, this should be KILLABLE. Or did I mis-read the code? Tyler, Dustin, others - comments? This looks nasty. Linus. 2012/1/17 dragonylffly <dragonylffly@xxxxxxx>: > Hi, > There is an infinite loop bug in eCryptfs, to make it present, > just truncate to generate a huge file (>= 4G) on a 32-bit machine under > the plain text foleder mounted with eCryptfs, a simple command > 'truncate -s 4G dummy' is enough. Note: 4GB is smaller than 4G, > therefore the following command 'truncate -s 4GB dummy' will not > trigger this bug. The bug comes from a data overflow, the patch below fixes > it. > > Cheers, > Li Wang > > --- > > signed-off-by: Li Wang <liwang@xxxxxxxxxxx> > Yunchuan Wen (wenyunchuan@xxxxxxxxxxxxxx) > > --- read_write.c.orig 2012-01-18 10:39:26.000000000 +0800 > +++ read_write.c 2012-01-18 19:48:41.484196221 +0800 > @@ -130,7 +130,7 @@ > pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT); > size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK); > size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page); > - size_t total_remaining_bytes = ((offset + size) - pos); > + loff_t total_remaining_bytes = ((offset + size) - pos); > > if (num_bytes > total_remaining_bytes) > num_bytes = total_remaining_bytes; > > > -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html