Bug 814302 - large writes to ext4 may return incorrect value
Summary: large writes to ext4 may return incorrect value
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: kernel
Version: 6.3
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Eric Sandeen
QA Contact: Eryu Guan
URL:
Whiteboard:
: 814296 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-19 14:39 UTC by Eric Sandeen
Modified: 2012-06-20 08:48 UTC (History)
2 users (show)

Fixed In Version: kernel-2.6.32-266.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 08:48:04 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0862 0 normal SHIPPED_LIVE Moderate: Red Hat Enterprise Linux 6 kernel security, bug fix and enhancement update 2012-06-20 12:55:00 UTC

Description Eric Sandeen 2012-04-19 14:39:02 UTC 
Description of problem:

ext4_file_write returns an int, rather than a ssize_t, so large values may overflow, and return incorrect values to userspace.

This is fixed with a simple one-liner to change the return value of ext4_file_write() to a ssize_t.

Version-Release number of selected component (if applicable):

Any recent RHEL6 kernel

How reproducible:

every time

Steps to Reproduce:

From the upstream mailing list as reported by Jouni Siren <jouni.siren>:

#include <fstream>

int
main(int argc, char** argv)
{
  std::streamsize data_size = (std::streamsize)1 << 31;
  char* data = new char[data_size];

  std::ofstream output("test.dat", std::ios_base::binary);
  output.write(data, 8);
  output.write(data, data_size);
  output.write(data, data_size);
  output.close();

  delete[] data;
  return 0;
}

Note the failing writev() with the large negative number:

open("test.dat", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
writev(3, [{"\0\0\0\0\0\0\0\0", 8}, {"", 2147483648}], 2) = -2147483640
writev(3, [{0xffffffff80c6d258, 2147483648}, {"", 2147483648}], 2) = -1 EFAULT (Bad address)
write(3, "\0\0\0\0\0\0\0\0", 8)         = 8
close(3)                                = 0
Comment 1 Eric Sandeen 2012-04-19 14:39:51 UTC 
(Note, RHEL5 is not affected)
Comment 2 Eric Sandeen 2012-04-19 14:45:32 UTC 
*** Bug 814296 has been marked as a duplicate of this bug. ***
Comment 3 RHEL Program Management 2012-04-19 14:50:03 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux maintenance release. Product Management has 
requested further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed 
products. This request is not yet committed for inclusion in an Update release.
Comment 5 Aristeu Rozanski 2012-04-23 16:01:15 UTC 
Patch(es) available on kernel-2.6.32-266.el6
Comment 8 Eryu Guan 2012-04-26 09:04:43 UTC 
Seems this only affects writev(2) system call

Reproduced on kernel-2.6.32-250.el6

writev(2) returns negative value
writev(3, [{"", 2147483648}], 1)        = -2147483648

write(2) does a partial write
write(3, "", 2147483648)                = 2147479552


Verified on kernel-2.6.32-266.el6

writev(2) returns correct value
writev(3, [{"", 2147483648}], 1)        = 2147483648

write(2) also returns no error, but partial write
write(3, "", 2147483648)                = 2147479552
Comment 10 errata-xmlrpc 2012-06-20 08:48:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0862.html
Note You need to log in before you can comment on or make changes to this bug.