Bug 814302
| Summary: | large writes to ext4 may return incorrect value | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Eric Sandeen <esandeen> |
| Component: | kernel | Assignee: | Eric Sandeen <esandeen> |
| Status: | CLOSED ERRATA | QA Contact: | Eryu Guan <eguan> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.3 | CC: | eguan, jouko.orava |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | kernel-2.6.32-266.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 08:48:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
(Note, RHEL5 is not affected) *** Bug 814296 has been marked as a duplicate of this bug. *** This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. Patch(es) available on kernel-2.6.32-266.el6 Seems this only affects writev(2) system call
Reproduced on kernel-2.6.32-250.el6
writev(2) returns negative value
writev(3, [{"", 2147483648}], 1) = -2147483648
write(2) does a partial write
write(3, "", 2147483648) = 2147479552
Verified on kernel-2.6.32-266.el6
writev(2) returns correct value
writev(3, [{"", 2147483648}], 1) = 2147483648
write(2) also returns no error, but partial write
write(3, "", 2147483648) = 2147479552
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0862.html |
Description of problem: ext4_file_write returns an int, rather than a ssize_t, so large values may overflow, and return incorrect values to userspace. This is fixed with a simple one-liner to change the return value of ext4_file_write() to a ssize_t. Version-Release number of selected component (if applicable): Any recent RHEL6 kernel How reproducible: every time Steps to Reproduce: From the upstream mailing list as reported by Jouni Siren <jouni.siren>: #include <fstream> int main(int argc, char** argv) { std::streamsize data_size = (std::streamsize)1 << 31; char* data = new char[data_size]; std::ofstream output("test.dat", std::ios_base::binary); output.write(data, 8); output.write(data, data_size); output.write(data, data_size); output.close(); delete[] data; return 0; } Note the failing writev() with the large negative number: open("test.dat", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3 writev(3, [{"\0\0\0\0\0\0\0\0", 8}, {"", 2147483648}], 2) = -2147483640 writev(3, [{0xffffffff80c6d258, 2147483648}, {"", 2147483648}], 2) = -1 EFAULT (Bad address) write(3, "\0\0\0\0\0\0\0\0", 8) = 8 close(3) = 0