From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from cuda.sgi.com (cuda1.sgi.com [192.48.157.11]) by oss.sgi.com (8.14.3/8.14.3/SuSE Linux 0.8) with ESMTP id p21IGB7L213239 for ; Tue, 1 Mar 2011 12:16:11 -0600 Received: from mail.sandeen.net (localhost [127.0.0.1]) by cuda.sgi.com (Spam Firewall) with ESMTP id E99A41633E5E for ; Tue, 1 Mar 2011 10:18:58 -0800 (PST) Received: from mail.sandeen.net (sandeen.net [63.231.237.45]) by cuda.sgi.com with ESMTP id uMcMiKSxA1khIwMP for ; Tue, 01 Mar 2011 10:18:58 -0800 (PST) Message-ID: <4D6D3891.5060908@sandeen.net> Date: Tue, 01 Mar 2011 12:18:57 -0600 From: Eric Sandeen MIME-Version: 1.0 Subject: Re: [PATCH, V3 (sort of)] xfs: zero proper structure size for geometry calls References: <4D6C28A5.60905@mnsu.edu> <4D6C4DEE.6020902@sandeen.net> <4D6C9958.2040607@sandeen.net> <1298984132.32568.3.camel@dan> <4D6D128C.6010503@mnsu.edu> <4D6D157B.9070800@sandeen.net> <1299001800.2381.10.camel@doink> In-Reply-To: <1299001800.2381.10.camel@doink> List-Id: XFS Filesystem from SGI List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: xfs-bounces@oss.sgi.com Errors-To: xfs-bounces@oss.sgi.com To: aelder@sgi.com Cc: Jeffrey Hundstad , Dan Rosenberg , Eugene Teo , xfs@oss.sgi.com On 3/1/11 11:50 AM, Alex Elder wrote: > I'm sorry to muddy the waters with this. But I think the > proposed patch fixes the wrong problem. Having xfs_fs_geometry() > zero its argument is fine--it defines an interface and honors > it. The real problem lies in xfs_ioc_fsgeometry_v1(), which > violates that interface by passing the address of an object > that's not the right size. So below is an alternative to > Eric's solution which just fixes this one caller instead. > > Eric has already told me this makes more sense. It would > be nice if Jeffrey would re-test this fix, and Dan would > sign off on it as well. Reviewed-by: Eric Sandeen thanks, -Eric > -Alex > > Commit 493f3358cb289ccf716c5a14fa5bb52ab75943e5 added this call to > xfs_fs_geometry() in order to avoid passing kernel stack data back > to user space: > > + memset(geo, 0, sizeof(*geo)); > > Unfortunately, one of the callers of that function passes the > address of a smaller data type, cast to fit the type that > xfs_fs_geometry() requires. As a result, this can happen: > > Kernel panic - not syncing: stack-protector: Kernel stack is corrupted > in: f87aca93 > > Pid: 262, comm: xfs_fsr Not tainted 2.6.38-rc6-493f3358cb2+ #1 > Call Trace: > > [] ? panic+0x50/0x150 > [] ? __stack_chk_fail+0x10/0x18 > [] ? xfs_ioc_fsgeometry_v1+0x56/0x5d [xfs] > > > Fix this by fixing that one caller to pass the right type and then > copy out the subset it is interested in. > > Note: This patch is an alternative to one originally proposed by > Eric Sandeen. > > Reported-by: Jeffrey Hundstad > Signed-off-by: Alex Elder > > --- > fs/xfs/linux-2.6/xfs_ioctl.c | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) > > Index: b/fs/xfs/linux-2.6/xfs_ioctl.c > =================================================================== > --- a/fs/xfs/linux-2.6/xfs_ioctl.c > +++ b/fs/xfs/linux-2.6/xfs_ioctl.c > @@ -695,14 +695,19 @@ xfs_ioc_fsgeometry_v1( > xfs_mount_t *mp, > void __user *arg) > { > - xfs_fsop_geom_v1_t fsgeo; > + xfs_fsop_geom_t fsgeo; > int error; > > - error = xfs_fs_geometry(mp, (xfs_fsop_geom_t *)&fsgeo, 3); > + error = xfs_fs_geometry(mp, &fsgeo, 3); > if (error) > return -error; > > - if (copy_to_user(arg, &fsgeo, sizeof(fsgeo))) > + /* > + * Caller should have passed an argument of type > + * xfs_fsop_geom_v1_t. This is a proper subset of the > + * xfs_fsop_geom_t that xfs_fs_geometry() fills in. > + */ > + if (copy_to_user(arg, &fsgeo, sizeof (xfs_fsop_geom_v1_t))) > return -XFS_ERROR(EFAULT); > return 0; > } > > _______________________________________________ xfs mailing list xfs@oss.sgi.com http://oss.sgi.com/mailman/listinfo/xfs