Bug 237326

Summary: md: read past end of bitmap file causes md device initialization to fail
Product: Red Hat Enterprise Linux 5 Reporter: Paul Clements <paul.clements>
Component: kernelAssignee: Ivan Vecera <ivecera>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: high Docs Contact:
Priority: medium    
Version: 5.0CC: dzickus
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0314 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 14:42:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 425461    
Attachments:
Description Flags
kernel patch none

Description Paul Clements 2007-04-20 20:06:10 UTC 
Description of problem:

(from Neil Brown, md maintainer)

In most cases we check the size of the bitmap file before
reading data from it.  However when reading the superblock,
we always read the first PAGE_SIZE bytes, which might not 
always be appropriate.  So limit that read to the size of the
file if appropriate.

Also, we get the count of available bytes wrong in one place,
so that too can read past the end of the file.

Patch, which is in mainline and has been tested against the RHEL 5 kernel, attached.

Version-Release number of selected component (if applicable):
kernel: 2.6.18-8.1.1.el5
RHEL: redhat-release-5Server-5.0.0.7

How reproducible:
Always

Steps to Reproduce:
1. create md array with a bitmap file where bitmap file is on a filesystem with
block size smaller than page size -- md will try to read past the end of the
file, which causes the md array to fail

or

2. create md array with a bitmap file such that the size of the bitmap file is
close to the page size (within 256 bytes) -- this also causes md to read past
the end of the file, causing the md array to fail
Comment 1 Paul Clements 2007-04-20 20:06:10 UTC 
Created attachment 153209 [details]
kernel patch
Comment 2 RHEL Program Management 2007-08-31 12:13:40 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 4 Don Zickus 2008-01-21 17:27:01 UTC 
in 2.6.18-71.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 7 errata-xmlrpc 2008-05-21 14:42:33 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0314.html