Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 242171 Details for
Bug 357001
task->mm or slab corruption with CIFS
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch -- fix bad handling of EAGAIN error on kernel_recvmsg in cifs_demultiplex_thread
0001-CIFS-fix-bad-handling-of-EAGAIN-error-on-kernel_re.patch (text/plain), 2.70 KB, created by
Jeff Layton
on 2007-10-29 17:37:13 UTC
(
hide
)
Description:
patch -- fix bad handling of EAGAIN error on kernel_recvmsg in cifs_demultiplex_thread
Filename:
MIME Type:
Creator:
Jeff Layton
Created:
2007-10-29 17:37:13 UTC
Size:
2.70 KB
patch
obsolete
>From c18c732ec6bf372aa959ca6534cbfc32e464defd Mon Sep 17 00:00:00 2001 >From: Steve French <sfrench@us.ibm.com> >Date: Wed, 17 Oct 2007 18:01:11 +0000 >Subject: [PATCH] [CIFS] fix bad handling of EAGAIN error on kernel_recvmsg in cifs_demultiplex_thread > >When kernel_recvmsg returns -EAGAIN or -ERESTARTSYS, then >cifs_demultiplex_thread sleeps for a bit and then tries the read again. >When it does this, it's not zeroing out the length and that throws off >the value of total_read. Fix it to zero out the length. > >Can cause memory corruption: >If kernel_recvmsg returns an error and total_read is a large enough >value, then we'll end up going through the loop again. total_read will >be a bogus value, as will (pdu_length-total_read). When this happens we >end up calling kernel_recvmsg with a bogus value (possibly larger than >the current iov_len). > >At that point, memcpy_toiovec can overrun iov. It will start walking >up the stack, casting other things that are there to struct iovecs >(since it assumes that it's been passed an array of them). Any pointer >on the stack at an address above the kvec is a candidate for corruption >here. > >Many thanks to Ulrich Obergfell for pointing this out. > >Signed-off-by: Jeff Layton <jlayton@redhat.com> >Signed-off-by: Steve French <sfrench@us.ibm.com> >--- > fs/cifs/CHANGES | 3 ++- > fs/cifs/connect.c | 6 +++++- > 2 files changed, 7 insertions(+), 2 deletions(-) > >diff --git a/fs/cifs/CHANGES b/fs/cifs/CHANGES >index 70c90c0..2459ef0 100644 >--- a/fs/cifs/CHANGES >+++ b/fs/cifs/CHANGES >@@ -10,7 +10,8 @@ opened, read and written as if they were files). When 1st tree > connect fails (e.g. due to signing negotiation failure) fix > leak that causes cifsd not to stop and rmmod to fail to cleanup > cifs_request_buffers pool. Fix problem with POSIX Open/Mkdir on >-bigendian architectures. >+bigendian architectures. Fix possible memory corruption when >+EAGAIN returned on kern_recvmsg. > > Version 1.50 > ------------ >diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c >index 494455e..676bbf2 100644 >--- a/fs/cifs/connect.c >+++ b/fs/cifs/connect.c >@@ -415,7 +415,10 @@ incomplete_rcv: > msleep(1); /* minimum sleep to prevent looping > allowing socket to clear and app threads to set > tcpStatus CifsNeedReconnect if server hung */ >- continue; >+ if (pdu_length < 4) >+ goto incomplete_rcv; >+ else >+ continue; > } else if (length <= 0) { > if (server->tcpStatus == CifsNew) { > cFYI(1, ("tcp session abend after SMBnegprot")); >@@ -543,6 +546,7 @@ incomplete_rcv: > allowing socket to clear and app > threads to set tcpStatus > CifsNeedReconnect if server hung*/ >+ length = 0; > continue; > } else if (length <= 0) { > cERROR(1, ("Received no data, expecting %d", >-- >1.5.3.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 357001
: 242171