This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 357001 - task->mm or slab corruption with CIFS
task->mm or slab corruption with CIFS
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
7
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-29 13:37 EDT by Jeff Layton
Modified: 2014-06-18 03:36 EDT (History)
2 users (show)

See Also:
Fixed In Version: 2.6.23.1-21.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-09 18:38:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
patch -- fix bad handling of EAGAIN error on kernel_recvmsg in cifs_demultiplex_thread (2.70 KB, patch)
2007-10-29 13:37 EDT, Jeff Layton
no flags Details | Diff

  None (edit)
Description Jeff Layton 2007-10-29 13:37:13 EDT
From patch description:

When kernel_recvmsg returns -EAGAIN or -ERESTARTSYS, then
cifs_demultiplex_thread sleeps for a bit and then tries the read again.
When it does this, it's not zeroing out the length and that throws off
the value of total_read. Fix it to zero out the length.

Can cause memory corruption:
If kernel_recvmsg returns an error and total_read is a large enough
value, then we'll end up going through the loop again. total_read will
be a bogus value, as will (pdu_length-total_read). When this happens we
end up calling kernel_recvmsg with a bogus value (possibly larger than
the current iov_len).

At that point, memcpy_toiovec can overrun iov. It will start walking
up the stack, casting other things that are there to struct iovecs
(since it assumes that it's been passed an array of them). Any pointer
on the stack at an address above the kvec is a candidate for corruption
here.

Many thanks to Ulrich Obergfell for pointing this out.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>


------------

I think we want to carry this in fedora until this makes it into an upstream
point release.
Comment 1 Jeff Layton 2007-10-29 13:37:13 EDT
Created attachment 242171 [details]
patch -- fix bad handling of EAGAIN error on kernel_recvmsg in cifs_demultiplex_thread
Comment 2 Chuck Ebbert 2007-11-01 13:56:35 EDT
It took multiple patches, but the fix is now in 2.6.23.1-19 and above...
Comment 3 Fedora Update System 2007-11-09 18:38:04 EST
kernel-2.6.23.1-49.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.