[Drbd-dev] integer signedness mixup problem in drbd_main.c
Lars Ellenberg
lars.ellenberg at linbit.com
Tue Mar 22 11:25:17 CET 2016
On Tue, Mar 22, 2016 at 12:18:17AM +0100, Marc Schiffbauer wrote:
> hi all,
>
> using a kernel hardened with grsecurity/PaX we discovered a problem
> where PaX detects a size overflow after a quite large uptime:
>
> PAX: size overflow detected in function drbd_send_dblock
> drivers/block/drbd/drbd_main.c:1625 cicus.964_133 max, count: 1
>
> this was in kernel 3.14.19, but 4.4.5 still seems to have that problem.
> The line triggering this is:
>
> p->seq_num = cpu_to_be32(atomic_inc_return_unchecked(&mdev->packet_seq));
Boring.
seq_num should give it away: it is a sequence number.
it wraps. that's what sequence numbers do, eventually.
haven't we been here before?
--
: Lars Ellenberg
: LINBIT | Keeping the Digital World Running
: DRBD -- Heartbeat -- Corosync -- Pacemaker
: R&D, Integration, Ops, Consulting, Support
DRBD® and LINBIT® are registered trademarks of LINBIT
More information about the drbd-dev
mailing list