Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 1065434

Summary: [ext3] infinite loop in ext3_dx_find_entry()
Product: Red Hat Enterprise Linux 5 Reporter: Cedric Buissart <cbuissar>
Component: kernelAssignee: Lukáš Czerner <lczerner>
Status: CLOSED EOL QA Contact: Filesystem QE <fs-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.11CC: aglotov, dwysocha, esandeen, jpittman, nmurray, xzhou
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1138531 (view as bug list) Environment:
Last Closed: 2018-10-02 09:29:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1138531    

Description Cedric Buissart 2014-02-14 16:26:58 UTC 
>> Description of problem:

ext3_dx_find_entry() may trigger an infinite loop if de's rec_len is 0 (e.g. : bad block, corruption) :

~~~
static struct buffer_head * ext3_dx_find_entry(struct dentry *dentry,
                       struct ext3_dir_entry_2 **res_dir, int *err)
{
[...]
                for (; de < top; de = ext3_next_entry(de))
                if (ext3_match (namelen, name, de)) {            <= %RIP is somewhere within that loop
                        if (!ext3_check_dir_entry("ext3_find_entry",
                                                  dir, de, bh,
                                  (block<<EXT3_BLOCK_SIZE_BITS(sb))
                                          +((char *)de - bh->b_data))) {
                                brelse (bh);
                                goto errout;
                        }
                        *res_dir = de;
                        dx_release (frames);
                        return bh;
                }
~~~

There would be 2 upstream commit that would resolve the issue :

1) upstream "ext3: Use search_dirblock() in ext3_dx_find_entry()"
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5026e90b8668

The search_dirblock() makes sure that rec_len is not zero.

2) upstream "ext3: validate directory entry data before use"
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=275c0a8f



See vmcore analysis in next comment.
Comment 4 Eric Sandeen 2014-02-17 17:04:19 UTC 
Lukas, can you take a look at this one?  Sounds like patches exist upstream.

Thanks,
-Eric
Comment 8 RHEL Program Management 2014-02-19 09:22:59 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.
Comment 12 Mike McCune 2016-03-28 22:55:34 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions