Date: Fri Apr 16 08:54:36 PDT 2004
Workarea: naboo.americas.sgi.com:/go/space/XFS/xfs-linux-new
Inspected by: overby@xxxxxxx,sandeen@xxxxxxx,nathans@xxxxxxx
The following file(s) were checked into:
bonnie.engr.sgi.com:/isms/xfs-kern/xfs-linux
Modid: xfs-linux:xfs-kern:170221a
xfs_dir2_node.c - 1.40
- So this was a fun one to track down.
This bug has existed since version 1.1 of the dir2 code.
xfs_dir2_leafn_rebalance splits a directory tree block into
2 balanced blocks and then calculates the new index in either the
old block or the new block relying on the hash value.
This doesn't work in the case of a new to be inserted elements hash
value
being the same as an already existing elements hash value.
This resulted in a negative index being returned and then passed to
xfs_dir2_leafn_add, which it then used as a starting address in
the elements array.
The address (which is now pointing to somebody else's memory) was then
passed to memmove to move the tail of the array down 8 bytes.
Depending on the size of the array this would move all sorts of
possibly important info belong to somebody else 8 bytes down.
As part of the fix add a sanity check to xfs_dir2_leafn_add
to make nobody else is passing in a negative index.
|