Nickolai Zeldovich
2013-Jan-08 16:11 UTC
[Ocfs2-devel] NULL pointer deref in OCFS2_IOC_MOVE_EXT
It appears that if a user calls ioctl(OCFS2_IOC_MOVE_EXT) and does not set OCFS2_MOVE_EXT_FL_AUTO_DEFRAG in range.me_flags, the kernel will invoke ocfs2_validate_and_adjust_move_goal. That function dereferences the 'bg' pointer (initialized to NULL) before it assigns anything else to 'bg'. One possible fix is to revert ea5e1675ac832b42889ac8d254ea8fbfbdfaa8b2, which is when the code in ocfs2_validate_and_adjust_move_goal was moved in a way that guaranteed a NULL pointer dereference. But I don't fully understand what that change was trying to achieve. Nickolai.
Hi Nickolai,, Thanks for reporting this issue, which seems to be a code bug here, the proper fix proabably might be referencing 'dg' after it has been assigined. Regards, Tristan On Wed, Jan 9, 2013 at 12:11 AM, Nickolai Zeldovich <nickolai at csail.mit.edu>wrote:> It appears that if a user calls ioctl(OCFS2_IOC_MOVE_EXT) and does not > set OCFS2_MOVE_EXT_FL_AUTO_DEFRAG in range.me_flags, the kernel will > invoke ocfs2_validate_and_adjust_move_goal. That function > dereferences the 'bg' pointer (initialized to NULL) before it assigns > anything else to 'bg'. > > One possible fix is to revert > ea5e1675ac832b42889ac8d254ea8fbfbdfaa8b2, which is when the code in > ocfs2_validate_and_adjust_move_goal was moved in a way that guaranteed > a NULL pointer dereference. But I don't fully understand what that > change was trying to achieve. > > Nickolai. > > _______________________________________________ > Ocfs2-devel mailing list > Ocfs2-devel at oss.oracle.com > https://oss.oracle.com/mailman/listinfo/ocfs2-devel >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.oracle.com/pipermail/ocfs2-devel/attachments/20130122/f30ba8e4/attachment.html