Date: Fri Apr 16 08:56:34 PDT 2004
Workarea: naboo.americas.sgi.com:/go/space/XFS/xfs-cmds
Inspected by: overby@xxxxxxx,sandeen@xxxxxxx,nathans@xxxxxxx
The following file(s) were checked into:
bonnie.engr.sgi.com:/isms/slinx/xfs-cmds
Modid: xfs-cmds:slinx:170226a
xfsprogs/libxfs/xfs_dir2_node.c - 1.17
- So this was a fun one to track down.
This bug has existed since version 1.1 of the dir2 code.
xfs_dir2_leafn_rebalance splits a directory tree block into
2 balanced blocks and then calculates the new index in either the
old block or the new block relying on the hash value.
This doesn't work in the case of a new to be inserted elements hash
value
being the same as an already existing elements hash value.
This resulted in a negative index being returned and then passed to
xfs_dir2_leafn_add, which it then used as a starting address in
the elements array.
The address (which is now pointing to somebody else's memory) was then
passed to memmove to move the tail of the array down 8 bytes.
Depending on the size of the array this would move all sorts of
possibly important info belong to somebody else 8 bytes down.
As part of the fix add a sanity check to xfs_dir2_leafn_add
to make nobody else is passing in a negative index.
|