[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Bug#78364: hurd: lookup for names > diskfs_name_max kills filesystem
From: |
Marcus . Brinkmann |
Subject: |
Bug#78364: hurd: lookup for names > diskfs_name_max kills filesystem |
Date: |
Wed, 29 Nov 2000 23:17:56 +0100 |
Package: hurd
Version: N/A
Severity: normal
Hi,
touch [ALT+256] x
crashes the filesystem. Further debugging showed that the crash happens
immediately after diskfs_S_dir_lookup is called, in the destructor.
The destuctor for dir_lookup is in libdiskfs/priv.h, it is:
extern inline void
end_using_protid_port (struct protid *cred)
{
if (cred)
ports_port_deref (cred);
}
The crash happens in ports_port_deref, when trying to derefence pi, which is
just cred but interpreted as a pointer to a struct port_info.
Now, that's weird. It crashes with E_BAD_ACCESS in ports_port_deref, because
it can't access the memory at cred. I verified that in _Xdir_lookup
start_dir = begin_using_protid_port(In0P->Head.msgh_request_port);
OutP->RetCode = diskfs_S_dir_lookup(start_dir, In0P->file_name,
In0P->flags, In0P->mode, &OutP->do_retry, OutP->retry_name, &OutP->result,
&resultPoly);
end_using_protid_port(start_dir);
the value of start_dir isn't mangled (wouldn't make sense anyway).
It is the same for diskfs_S_dir_lookup as for end_using_protid_port.
Maybe the memory at this location is accidently freed? How could this
happen? I single stepped through diskfs_S_dir_lookup and diskfs_lookup,
without seeing anything special.
Any hints appreciated,
Marcus
-- System Information
Debian Release: 2.2
Kernel Version: Linux ulysses 2.4.0-test9 #1 Mon Okt 30 20:36:05 CET 2000 i686
unknown
- Bug#78364: hurd: lookup for names > diskfs_name_max kills filesystem,
Marcus . Brinkmann <=