[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bug#78364: hurd: lookup for names > diskfs_name_max kills filesystem

From: Marcus . Brinkmann
Subject: Bug#78364: hurd: lookup for names > diskfs_name_max kills filesystem
Date: Wed, 29 Nov 2000 23:17:56 +0100

Package: hurd
Version: N/A
Severity: normal


touch [ALT+256] x

crashes the filesystem. Further debugging showed that the crash happens
immediately after diskfs_S_dir_lookup is called, in the destructor.
The destuctor for dir_lookup is in libdiskfs/priv.h, it is:

extern inline void
end_using_protid_port (struct protid *cred)
  if (cred)
    ports_port_deref (cred);

The crash happens in ports_port_deref, when trying to derefence pi, which is
just cred but interpreted as a pointer to a struct port_info.

Now, that's weird. It crashes with E_BAD_ACCESS in ports_port_deref, because
it can't access the memory at cred. I verified that in _Xdir_lookup

        start_dir = begin_using_protid_port(In0P->Head.msgh_request_port);

        OutP->RetCode = diskfs_S_dir_lookup(start_dir, In0P->file_name, 
In0P->flags, In0P->mode, &OutP->do_retry, OutP->retry_name, &OutP->result, 

the value of start_dir isn't mangled (wouldn't make sense anyway).
It is the same for diskfs_S_dir_lookup as for end_using_protid_port.
Maybe the memory at this location is accidently freed? How could this
happen? I single stepped through diskfs_S_dir_lookup and diskfs_lookup,
without seeing anything special.

Any hints appreciated,

-- System Information
Debian Release: 2.2
Kernel Version: Linux ulysses 2.4.0-test9 #1 Mon Okt 30 20:36:05 CET 2000 i686 

reply via email to

[Prev in Thread] Current Thread [Next in Thread]