Re: [PATCH] eCryptfs: infinite loop bug

From: Tyler Hicks
Date: Wed Jan 18 2012 - 16:04:10 EST

Next message: Alexey Dobriyan: "Re: [PATCH] kconfig: untangle EXPERT and EMBEDDED"
Previous message: David Miller: "Re: pull request: wireless 2012-01-18"
In reply to: Linus Torvalds: "Re: [PATCH] eCryptfs: infinite loop bug"
Next in thread: Dustin Kirkland: "Re: [PATCH] eCryptfs: infinite loop bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2012-01-18 12:49:17, Linus Torvalds wrote:
> Hmm.
>
> There are *two* cases where we do that "total_remaining_bytes"
> calculation. The same bug seems to exist both in ecryptfs_read() and
> ecryptfs_write().

ecryptfs_read() is ifdef'ed out, and has been for years, so I'll just go
ahead and kill that function for good.

>
> Possibly only the ecryptfs_write() one leads to an endless loop, but
> the read one looks suspicious too.
>
> Also, what protects things against this just being one nasty DoS
> attack - even if the code is fixed to not be an endless loop, it looks
> like a trivial "truncate()" can be used to generate a *practically*
> infinite write stream. At the very least, this should be KILLABLE. Or
> did I mis-read the code?

I think you're right. I'll start off with making it killable and then
see if there is anything else we can do.

Tyler

>
> Tyler, Dustin, others - comments? This looks nasty.
>
> Linus.
>
> 2012/1/17 dragonylffly <dragonylffly@xxxxxxx>:
> > Hi,
> > There is an infinite loop bug in eCryptfs, to make it present,
> > just truncate to generate a huge file (>= 4G) on a 32-bit machine under
> > the plain text foleder mounted with eCryptfs, a simple command
> > 'truncate -s 4G dummy' is enough. Note: 4GB is smaller than 4G,
> > therefore the following command 'truncate -s 4GB dummy' will not
> > trigger this bug. The bug comes from a data overflow, the patch below fixes
> > it.
> >
> > Cheers,
> > Li Wang
> >
> > ---
> >
> > signed-off-by: Li Wang <liwang@xxxxxxxxxxx>
> >                Yunchuan Wen (wenyunchuan@xxxxxxxxxxxxxx)
> >
> > --- read_write.c.orig 2012-01-18 10:39:26.000000000 +0800
> > +++ read_write.c 2012-01-18 19:48:41.484196221 +0800
> > @@ -130,7 +130,7 @@
> >    pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT);
> >    size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK);
> >    size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page);
> > -  size_t total_remaining_bytes = ((offset + size) - pos);
> > +  loff_t total_remaining_bytes = ((offset + size) - pos);
> >
> >    if (num_bytes > total_remaining_bytes)
> >     num_bytes = total_remaining_bytes;
> >
> >
> >
> --
> To unsubscribe from this list: send the line "unsubscribe ecryptfs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html

Attachment: signature.asc
Description: Digital signature

Next message: Alexey Dobriyan: "Re: [PATCH] kconfig: untangle EXPERT and EMBEDDED"
Previous message: David Miller: "Re: pull request: wireless 2012-01-18"
In reply to: Linus Torvalds: "Re: [PATCH] eCryptfs: infinite loop bug"
Next in thread: Dustin Kirkland: "Re: [PATCH] eCryptfs: infinite loop bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]