diff options
| author | Jim Keniston <jkenisto@us.ibm.com> | 2012-08-06 18:46:03 -0400 |
|---|---|---|
| committer | Theodore Ts'o <tytso@mit.edu> | 2012-08-06 18:46:42 -0400 |
| commit | d45b67c5f2a66597d8e2915052e180203a9193b8 (patch) | |
| tree | da75e6d05667a64600d60a98d92faeeab98cae45 /e2fsck/ehandler.c | |
| parent | d5aa6a82b37a0e78d8882601e6ad9da9d9dcb4da (diff) | |
| download | e2fsprogs-d45b67c5f2a66597d8e2915052e180203a9193b8.tar.gz | |
e2fsck: fix potential segv when handling a read error in a superblock
When passed a negative count (indicating a byte count rather than
a block count) e2fsck_handle_read_error() treats the data as a full
block, causing unix_write_blk64() (which can handle negative counts
just fine) to try to write too much. Given a faulty block device,
this resulted in a SEGV when unix_write_blk64() read past the bottom
of the stack copying the data to cache. (check_backup_super_block ->
unix_read_blk64 -> raw_read_blk -> e2fsck_handle_read_error)
Reported-by: Alex Friedman <alexfr@il.ibm.com>
Signed-off-by: Jim Keniston <jkenisto@us.ibm.com>
Signed-off-by: Dan Streetman <ddstreet@us.ibm.com>
Reviewed-by: Mingming Cao <mcao@us.ibm.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Diffstat (limited to 'e2fsck/ehandler.c')
| -rw-r--r-- | e2fsck/ehandler.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/e2fsck/ehandler.c b/e2fsck/ehandler.c index 6eecf33f..6dddf9c1 100644 --- a/e2fsck/ehandler.c +++ b/e2fsck/ehandler.c @@ -60,7 +60,7 @@ static errcode_t e2fsck_handle_read_error(io_channel channel, preenhalt(ctx); if (ask(ctx, _("Ignore error"), 1)) { if (ask(ctx, _("Force rewrite"), 1)) - io_channel_write_blk64(channel, block, 1, data); + io_channel_write_blk64(channel, block, count, data); return 0; } |