Project

General

Profile

Bug #2156

ceph: xattr: fix a possible buffer overrun bug

Added by Alex Elder almost 12 years ago. Updated almost 12 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
-
% Done:

0%

Source:
Development
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Crash signature (v1):
Crash signature (v2):

Description

In ceph_vxattrcb_file_layout(), if an inode has a preferred PG its
value is added to the formatted output buffer. In doing so, the
previously-consumed portion of the buffer is accounted for in
deciding where in the buffer to write, but the number of bytes
remaining in the buffer is not. The result could conceivably
result in a buffer overflow.

The simple fix is to subtract the consumed portion of the buffer
from the size before formatting the PG into the buffer.

History

#1 Updated by Alex Elder almost 12 years ago

  • Status changed from New to 7

This has been fixed in this commit:
260ac0e65b ceph: fix three bugs, two in ceph_vxattrcb_file_layout()

The commit will go into the ceph-client/testing branch, and after
some nightly test coverage will be pushed to the master branch.

#2 Updated by Alex Elder almost 12 years ago

This got rebased: 3489b42a72a41d477665ab37f196ae9257180abb

This has been sent as part of a pull request to Linus for
Linux 3.4. Will close this for good when I see it's been
accepted into mainline.

#3 Updated by Alex Elder almost 12 years ago

  • Status changed from 7 to Resolved

Linus pulled in the changes without any immediate trouble, so
I'm marking this and a few others resolved.

Also available in: Atom PDF