[Drbd-dev] integer signedness mixup problem in drbd_main.c

Lars Ellenberg lars.ellenberg at linbit.com
Tue Mar 22 11:25:17 CET 2016


On Tue, Mar 22, 2016 at 12:18:17AM +0100, Marc Schiffbauer wrote:
> hi all,
> 
> using a kernel hardened with grsecurity/PaX we discovered a problem 
> where PaX detects a size overflow after a quite large uptime:
> 
> PAX: size overflow detected in function drbd_send_dblock 
> drivers/block/drbd/drbd_main.c:1625 cicus.964_133 max, count: 1
> 
> this was in kernel 3.14.19, but 4.4.5 still seems to have that problem.  
> The line triggering this is:
> 
> p->seq_num = cpu_to_be32(atomic_inc_return_unchecked(&mdev->packet_seq));

Boring.
seq_num should give it away: it is a sequence number.
it wraps. that's what sequence numbers do, eventually.

haven't we been here before?


-- 
: Lars Ellenberg
: LINBIT | Keeping the Digital World Running
: DRBD -- Heartbeat -- Corosync -- Pacemaker
: R&D, Integration, Ops, Consulting, Support

DRBD® and LINBIT® are registered trademarks of LINBIT


More information about the drbd-dev mailing list