[Drbd-dev] integer signedness mixup problem in drbd_main.c

Marc Schiffbauer m at sys4.de
Tue Mar 22 13:32:07 CET 2016


* Lars Ellenberg schrieb am 22.03.16 um 11:25 Uhr:
> On Tue, Mar 22, 2016 at 12:18:17AM +0100, Marc Schiffbauer wrote:
> > hi all,
> > 
> > using a kernel hardened with grsecurity/PaX we discovered a problem 
> > where PaX detects a size overflow after a quite large uptime:
> > 
> > PAX: size overflow detected in function drbd_send_dblock 
> > drivers/block/drbd/drbd_main.c:1625 cicus.964_133 max, count: 1
> > 
> > this was in kernel 3.14.19, but 4.4.5 still seems to have that problem.  
> > The line triggering this is:
> > 
> > p->seq_num = cpu_to_be32(atomic_inc_return_unchecked(&mdev->packet_seq));
> 
> Boring.
> seq_num should give it away: it is a sequence number.
> it wraps. that's what sequence numbers do, eventually.
> 
> haven't we been here before?

We had another case that had been fixed.

Thanks Lars for the Feedback.

-Marc

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein


More information about the drbd-dev mailing list