[Drbd-dev] integer signedness mixup problem in drbd_main.c
Marc Schiffbauer
m at sys4.de
Tue Mar 22 13:32:07 CET 2016
* Lars Ellenberg schrieb am 22.03.16 um 11:25 Uhr:
> On Tue, Mar 22, 2016 at 12:18:17AM +0100, Marc Schiffbauer wrote:
> > hi all,
> >
> > using a kernel hardened with grsecurity/PaX we discovered a problem
> > where PaX detects a size overflow after a quite large uptime:
> >
> > PAX: size overflow detected in function drbd_send_dblock
> > drivers/block/drbd/drbd_main.c:1625 cicus.964_133 max, count: 1
> >
> > this was in kernel 3.14.19, but 4.4.5 still seems to have that problem.
> > The line triggering this is:
> >
> > p->seq_num = cpu_to_be32(atomic_inc_return_unchecked(&mdev->packet_seq));
>
> Boring.
> seq_num should give it away: it is a sequence number.
> it wraps. that's what sequence numbers do, eventually.
>
> haven't we been here before?
We had another case that had been fixed.
Thanks Lars for the Feedback.
-Marc
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the drbd-dev
mailing list