[PATCH] fs/ext[23]/xattr.c pointer arithmetic fix

From: Andreas Gruenbacher
Date: Thu Nov 13 2003 - 10:57:44 EST

Next message: Richard B. Johnson: "Re: nfs_statfs: statfs error = 116"
Previous message: stuart hayes: "PATCH: gets ide-tape working on 2.6"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

we just found a 64-bit pointer arithmetic bug in the ext2 and ext3
extended attributes code. The fix is attached; could you please apply...

Thanks,
--
Andreas Gruenbacher <agruen@xxxxxxx>
SuSE Labs, SuSE Linux AG <http://www.suse.de/>
64-bit pointer arithmetic bug in xattr code

The int offset is not enought to hold the difference between
arbitraty pointers on 64-bit machines. Compute the offset of
here and last inside HDR(bh) instead.

Index: linux-2.6.0-test9/fs/ext2/xattr.c
===================================================================
--- linux-2.6.0-test9.orig/fs/ext2/xattr.c 2003-10-25 20:43:58.000000000 +0200
+++ linux-2.6.0-test9/fs/ext2/xattr.c 2003-11-13 14:31:02.649956273 +0100
@@ -617,9 +617,11 @@ bad_block: ext2_error(sb, "ext2_xattr_s
goto cleanup;
memcpy(header, HDR(bh), bh->b_size);
header->h_refcount = cpu_to_le32(1);
- offset = (char *)header - bh->b_data;
- here = ENTRY((char *)here + offset);
- last = ENTRY((char *)last + offset);
+
+ offset = (char *)here - bh->b_data;
+ here = ENTRY((char *)header + offset);
+ offset = (char *)last - bh->b_data;
+ last = ENTRY((char *)header + offset);
}
} else {
/* Allocate a buffer where we construct the new block. */
Index: linux-2.6.0-test9/fs/ext3/xattr.c
===================================================================
--- linux-2.6.0-test9.orig/fs/ext3/xattr.c 2003-10-25 20:43:50.000000000 +0200
+++ linux-2.6.0-test9/fs/ext3/xattr.c 2003-11-13 14:31:23.932352979 +0100
@@ -629,9 +629,10 @@ bad_block: ext3_error(sb, "ext3_xattr_s
goto cleanup;
memcpy(header, HDR(bh), bh->b_size);
header->h_refcount = cpu_to_le32(1);
- offset = (char *)header - bh->b_data;
- here = ENTRY((char *)here + offset);
- last = ENTRY((char *)last + offset);
+ offset = (char *)here - bh->b_data;
+ here = ENTRY((char *)header + offset);
+ offset = (char *)last - bh->b_data;
+ last = ENTRY((char *)header + offset);
}
} else {
/* Allocate a buffer where we construct the new block. */

Next message: Richard B. Johnson: "Re: nfs_statfs: statfs error = 116"
Previous message: stuart hayes: "PATCH: gets ide-tape working on 2.6"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]