GPF with getdents on UMSDOS directory (2.0.27)

Giuliano Procida (gpp10@cus.cam.ac.uk)
Thu, 27 Feb 1997 10:07:02 +0000


Hi.

I managed to generate a rather broken umsdos directory, a copy of the
files are in ftp://pootle.magd.cam.ac.uk/archive/baddir.zip . This
directory caused any process scanning the directory 'BAD' to segfault,
on a Cyrix 6x86 PCI machine and on a ISA 486 machine, both running
versions of 2.0.27.

This is my first 'oops' post. I hope this problem will be repeatable
on other machines and I haven't left out any important information. It
may be that getdents is not validating its input carefully enough, but
I don't have much of a clue about checking this.

Giuliano Procida.

Trace follows.

Here is a strace of 'ls BAD':

execve("/bin/ls", ["ls", "BAD"], [/* 16 vars */]) = 0
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000
mprotect(0x40000000, 20301, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x8048000, 47055, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
stat("/etc/ld.so.cache", {st_mode=S_IFREG|0644, st_size=4065, ...}) = 0
mprotect(0x40009000, 528099, PROT_READ|PROT_EXEC) = 0
mprotect(0x40000000, 20301, PROT_READ|PROT_EXEC) = 0
personality(PER_LINUX) = 0
geteuid() = 0
getuid() = 0
getgid() = 0
getegid() = 0
brk(0x8054cd4) = 0x8054cd4
brk(0x8055000) = 0x8055000
time(NULL) = 856982493
ioctl(1, TCGETS, 0xbffffd58) = -1 EINVAL (Invalid argument)
ioctl(1, TIOCGWINSZ, 0xbffffd90) = -1 EINVAL (Invalid argument)
brk(0x8058000) = 0x8058000
lstat("BAD", {st_mode=S_IFDIR|0755, st_size=10240, ...}) = 0
stat("BAD", {st_mode=S_IFDIR|0755, st_size=10240, ...}) = 0
open("BAD", O_RDONLY) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
getdents(3, /* 103 entries */, 2048) = 2044
brk(0x805d000) = 0x805d000
getdents(3, <unfinished ...>
+++ killed by SIGSEGV +++

the gpf details (from another failure):

general protection: 0000
CPU: 0
EIP: 0010:[<018296b9>]
EFLAGS: 00010206
eax: a02dfa2d ebx: 00a76c20 ecx: 0000000c edx: 00a76c18
esi: 00a76c1c edi: 00004c80 ebp: 0045e9c0 esp: 00a76bc8
ds: 0018 es: 0018 fs: 002b gs: 002b ss: 0018
Process ls (pid: 5124, process nr: 38, stackpage=00a76000)
Stack: a02dfa2d 0182828a a02dfa2d 00a76c20 0000000c 00a76c18 00a76c1c 00a76d60
000000dc 00a76c1c 0000000e 0045e9c0 00214d90 bffffdb4 00a76d3c 00a76c1c
00004800 003628b8 00000000 002da8b8 00c2caa8 00000000 5f232323 237d2379

Trace: 182828a
Trace: 123e8a <__brelse+22/44>
Trace: 181603e
Trace: 1819a4e
Trace: 1819d40
Trace: 182be00
Trace: 123f58 <bread+18/7c>
Trace: 123e8a <__brelse+22/44>
Trace: 12bec4 <filldir>
Trace: 12bfff <sys_getdents+97/c8>
Trace: 12bec4 <filldir>
Trace: 10a630 <system_call+70/80>

Code: incw 0x7c(%eax)
Code: pushl %edx
Code: pushl %ecx
Code: pushl %ebx
Code: pushl %eax
Code: call ffff3deb <_EIP+ffff3deb>
Code: addl $0x10,%esp
Code: popl %ebx
Code: ret
Code: nop
Code: pushl %ebx