[linux-lvm] Tr: Possible LVM bug in 2.4.19-rc1

Heinz J . Mauelshagen mauelshagen at sistina.com
Mon Jul 8 04:15:02 UTC 2002 

FYI: have fixed this OBO error in CVS (Branch LVM_BRANCH_1-0)
     and send a patch for 2.4 to Marcelo.

Thanks to Benjamin and Olaf for pointing this one out :)

Regards,
Heinz    -- The LVM Guy --

On Fri, Jul 05, 2002 at 12:28:09PM +0200, Benjamin Herrenschmidt wrote:
> ---------------- Début du message transmis ----------------
> Sujet: Possible LVM bug in 2.4.19-rc1
> Envoyé: jeudi 4 juillet 2002 13:59
> De: Benjamin Herrenschmidt <benh at kernel.crashing.org>
> À: linux-kernel at vger.kernel.org
> 
> Hi !
> 
> Olaf and I have been tracking down a bug where the kernel died
> into lvm_blk_open() during boot on pmac, and later on other PPCs
> when trying to access an unconfigured LVM block device (or an
> LVM minor not associated yet). This typically happened in the
> pmac root discovery code which walks all gendisks, but I beleive
> there are other possible exploits.
>  
> Here's what I've tracked down so far:
> 
>   static int lvm_blk_open(struct inode *inode, struct file *file)
>   {
>   	int minor = MINOR(inode->i_rdev);
>   	lv_t *lv_ptr;
>   	vg_t *vg_ptr = vg[VG_BLK(minor)];
> 
>   	P_DEV("blk_open MINOR: %d  VG#: %d  LV#: %d  mode: %s%s\n",
> 	        minor, VG_BLK(minor), LV_BLK(minor),
>   	      MODE_TO_STR(file->f_mode));
> 
>   #ifdef LVM_TOTAL_RESET
> 	  if (lvm_reset_spindown > 0)
> 	  	return -EPERM;
>   #endif
> 
>   	if (vg_ptr != NULL &&
>   	    (vg_ptr->vg_status & VG_ACTIVE) &&
> 
>   .../...
> 
> At this point, no association have been made. That is VG_BLK(minor)
> will return vg_lv_map[minor].vg_number which has been initialized
> to ABS_MAX_VG in lvm_init_vars().
> 
> That means that vg_ptr is set to vg[ABS_MAX_VG], which is right outside
> the array bounds, as vg is declared to be
> 
>   /* volume group descriptor area pointers */
>   vg_t *vg[ABS_MAX_VG];
> 
> So, as soon as we dereference vg_ptr, we get whatever garbage is located
> right after the array, and not the NULL value we would expect for a non
> initialized association.
> 
> If my understanding is correct, then a simple fix would be to
> 
>   /* volume group descriptor area pointers */
> -  vg_t *vg[ABS_MAX_VG];
> +  vg_t *vg[ABS_MAX_VG+1];
> 
> though it's a bit hackish... maybe we should just test
> VG_BLK < ABS_MAX_VG
> 
> Also, the loop initializing vg array to NULL can probably be removed
> from lvm_init_vars as vg is part of the BSS and thus cleared by default.
> 
> Did I miss something ?
> 
> Ben.
> 
> ----------------- Fin du message transmis -----------------
> 
> 
> 
> _______________________________________________
> linux-lvm mailing list
> linux-lvm at sistina.com
> http://lists.sistina.com/mailman/listinfo/linux-lvm
> read the LVM HOW-TO at http://www.sistina.com/lvm/Pages/howto.html

*** Software bugs are stupid.
    Nevertheless it needs not so stupid people to solve them ***

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Heinz Mauelshagen                                 Sistina Software Inc.
Senior Consultant/Developer                       Am Sonnenhang 11
                                                  56242 Marienrachdorf
                                                  Germany
Mauelshagen at Sistina.com                           +49 2626 141200
                                                       FAX 924446
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

More information about the linux-lvm mailing list