tags 371076 + patch
quit
On Tue, Jun 13, 2006 at 12:24:04AM +0200, Carlo Contavalli wrote:
> The problem is quite simple: I didn't realize one of the mailbox
> files (a backup file) passed the 2.0G of size. So, the upgrade
> of the system has nothing to do with the crash.
> Now, it is quite simple to reproduce: append some data to a 2.0G
> file under an encrypted mount, and you should see the crash.
Thanks Carlo, I can reproduce it now just fine.
> I think the problem is in:
>
> dodecrypt(k,s,l,salt,vect)
> cfskey *k;
> char *s;
> int l;
> int salt;
> char *vect;
>
> where salt is used as an index in an array:
>
> s[i+j] ^= k->secmask[(i+j+salt)%smsize];
>
> However, dodecrypt is almost always called with something like:
>
> dodecrypt(key,buf,iolen,begin,vect);
>
> where begin is declared as:
>
> u_long begin;
>
> so, if begin is greater than 2.0G (allowed for an unsigned long),
> dodecrypt gets a negative salt (int). The negative salt leads to
> a negative module to be calculated, underflowing secmask by a
> random amount of data which might be big, depending on smsize.
>
> A quick and dirty fix would probably be to change:
>
> dodecrypt(k,s,l,salt,vect)
> cfskey *k;
> char *s;
> int l;
> u_long salt;
> char *vect;
Yes, your analysis is correct IMO.
> I don't have enough knowledge about NFS interfaces and 64 bits
> offset support when accessing files (lseek64, ...) to know if
> that fix would just be enough, or would just "delay problems"
> until the 4G limits is hit... for sure, the daemon shouldn't
> read some random data from memory, and shouldn't crash, ...
I suggest this patch based on your suggestion, it fixes the problem you
report. On my sid system, I wasn't able to create a file greater than
2GB in a crypted directory anyway, due to EFBIG.
Thanks, Gerrit.
Index: cfs_fh.c
===================================================================
RCS file: /cvs/cfs/cfs_fh.c,v
retrieving revision 1.8
diff -u -r1.8 cfs_fh.c
--- cfs_fh.c 19 Apr 2005 07:41:10 -0000 1.8
+++ cfs_fh.c 10 Jul 2006 09:20:52 -0000
@@ -325,7 +325,7 @@
cfskey *k;
char *s;
int l;
- int salt;
+ u_long salt;
char *vect;
{
int i,j,smsize;
@@ -347,7 +347,7 @@
cfskey *k;
char *s;
int l;
- int salt;
+ u_long salt;
char *vect;
{
int i,j,smsize;
