[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [debian-lts] e2fsprogs package

Hi,

I have a problem with the squeeze-lts update of ef2fsprogs + ef2fslibs :
some of my virtual servers using Xen (in PV mode) doesn't boot anymore.

At boot time I obtain :

[    1.388541] Write protecting the kernel read-only data: 6144k
[    1.390943] Freeing unused kernel memory: 976k freed
[    1.391535] Freeing unused kernel memory: 812k freed
Loading, please wait...
[    1.420157] udev[80]: starting version 164
[    1.490815] end_request: I/O error, dev xvdb, sector 0
[    1.490826] Buffer I/O error on device xvdb, logical block 0
[    1.491696] end_request: I/O error, dev xvda, sector 0
[    1.491703] Buffer I/O error on device xvda, logical block 0
[    1.496218] end_request: I/O error, dev xvda, sector 0
[    1.496229] Buffer I/O error on device xvda, logical block 0
[    1.496237] end_request: I/O error, dev xvdb, sector 0
[    1.496241] Buffer I/O error on device xvdb, logical block 0
[    1.504225] end_request: I/O error, dev xvda, sector 0
[    1.504238] Buffer I/O error on device xvda, logical block 0
[    1.504250] end_request: I/O error, dev xvdb, sector 0
[    1.504253] Buffer I/O error on device xvdb, logical block 0
[    1.512217] end_request: I/O error, dev xvda, sector 0
[    1.512230] Buffer I/O error on device xvda, logical block 0
[    1.512241] end_request: I/O error, dev xvdb, sector 0
[    1.512245] Buffer I/O error on device xvdb, logical block 0
[    1.520205] end_request: I/O error, dev xvda, sector 0
[    1.520215] Buffer I/O error on device xvda, logical block 0
[    1.520230] end_request: I/O error, dev xvdb, sector 0
[    1.528230] end_request: I/O error, dev xvdb, sector 0
[    1.532223] end_request: I/O error, dev xvda, sector 0
[    1.536203] end_request: I/O error, dev xvdb, sector 0
[    1.540228] end_request: I/O error, dev xvda, sector 0
[    1.544236] end_request: I/O error, dev xvdb, sector 0
[    1.548221] end_request: I/O error, dev xvda, sector 0
[    1.552200] end_request: I/O error, dev xvdb, sector 0
[    1.556223] end_request: I/O error, dev xvda, sector 0
[    1.560212] end_request: I/O error, dev xvdb, sector 0
[    1.564222] end_request: I/O error, dev xvda, sector 0
[    1.568224] end_request: I/O error, dev xvdb, sector 56
[    1.572199] end_request: I/O error, dev xvda, sector 56
[    1.576208] end_request: I/O error, dev xvdb, sector 0
[    1.584233] end_request: I/O error, dev xvda, sector 0
[    1.584266] end_request: I/O error, dev xvdb, sector 0
[    1.592234] end_request: I/O error, dev xvda, sector 0
[    1.592269] end_request: I/O error, dev xvdb, sector 62914432
[    1.600291] end_request: I/O error, dev xvda, sector 4194176
[    1.600334] end_request: I/O error, dev xvdb, sector 62914544
[    1.608249] end_request: I/O error, dev xvda, sector 4194288


And I can mount thoses FS from a wheezy system without any problem (nor
warning). If i revert back ef2progs and e2fslibs to the squeeze
«1.41.12-4stable1» everything boots fine.

Any idea what's happening ?

Thanks,
Olivier

Le lundi 16 février 2015 à 11:59 +0100, Raphael Hertzog a écrit :
> Hello Nguyen,
> 
> first of all I noticed that "e2fsprogs" was not in "dla-needed.txt" but
> that you added it yourself. I would suggest to not do that unless you
> want to help with CVE triaging.
> 
> In this case, the issue has been marked "no-dsa" for wheezy by the
> security team and this issue would have disappeared from
> https://security-tracker.debian.org/tracker/status/release/oldstable when
> someone of the LTS team would have tagged it "no-dsa" for squeeze as well.
> 
> The best way to help the LTS team is to concentrate your efforts on issues
> that have been classified as severe enough and that have been added to
> data/dla-needed.txt by someone who has been doing CVE triaging.
> 
> That said, now that you prepared this update, I'm going to upload it.
> 
> On Tue, 10 Feb 2015, Nguyen Cong wrote:
> > Oops, stupid mistakes.
> > I have fixed it, could you please check it again.
> 
> It looks good. Did you test it?
> 
> When you're asking someone else to upload it for you, you need
> to give us some confidence that the upload won't break anything.
> As such, telling us the tests you did is a good idea.
> 
> Also the description you write for the announce should target
> end users and not programmers. So "libext2fs was vulnerable to a potential
> buffer overflow if s_first_meta_bg is too big. This fix doesn't correct
> the bad value of s_first_meta_bg but avoids causing e2fsprogs userspace
> programs from potential crashing." is not really satisfactory.
> 
> I would suggest something simpler:
> « A broken (or maliciously crafted) file system could trigger a buffer
> overflow in e2fsprogs. »
> 
> Anyway, I have tested the update and sent the package. The announce
> will follow.
> 
> Thanks for your help!
> -- 
> Raphaël Hertzog ◈ Debian Developer
> 
> Support Debian LTS: http://www.freexian.com/services/debian-lts.html
> Learn to master Debian: http://debian-handbook.info/get/
> 
>
Reply to: