[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#864802: marked as done (stretch-pu: squashfs-tools)

Your message dated Sat, 22 Jul 2017 13:17:18 +0100
with message-id <1500725838.14212.3.camel@adam-barratt.org.uk>
and subject line Closing bugs for 9.1 p-u fixes
has caused the Debian Bug report #864802,
regarding stretch-pu: squashfs-tools
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
864802: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864802
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team,

There are two data corruption bug in squashfs-tools that fixed in the
last upload for Sid. I let it age seven days even if the fixes quite
straightforward.

The first is due to a rare race condition of filesystem
finalization[1] and the fix is to hold the tread lock longer until the
write buffer is put in line on the queue.
+-                      pthread_mutex_unlock(&fragment_mutex);
+                       queue_put(to_writer, write_buffer);
++                      pthread_mutex_unlock(&fragment_mutex);

The second is a 2 GB limit in file size in certain conditions as one
place used a wrong (limited in size) variable type. As such, the fix
is the following.
+-      int file_size = inode->buf.st_size;
++      off_t file_size = inode->buf.st_size;
An Endless OS developer also confirmed[2] that the fix is correct.

Full debdiff is attached.

Thanks for consideration,
Laszlo/GCS
[1] https://github.com/plougher/squashfs-tools/commit/de03266983ceb62e5365aac84fcd3b2fd4d16e6f
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788185#37

diff -Nru squashfs-tools-4.3/debian/changelog squashfs-tools-4.3/debian/changelog
--- squashfs-tools-4.3/debian/changelog	2015-10-21 20:03:07.000000000 +0000
+++ squashfs-tools-4.3/debian/changelog	2017-06-07 17:47:58.000000000 +0000
@@ -1,3 +1,12 @@
+squashfs-tools (1:4.3-4) unstable; urgency=medium
+
+  * Backport patch to fix rare race in fragment waiting in filesystem
+    finalisation.
+  * Backport fix for 2GB-limit of the is_fragment(...) function
+    (closes: #788185).
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Wed, 07 Jun 2017 17:47:58 +0000
+
 squashfs-tools (1:4.3-3) unstable; urgency=low
 
   * Use patch from upstream BTS to support LZMA magics (closes: #802446).
diff -Nru squashfs-tools-4.3/debian/patches/0006-uptream-fix-race.patch squashfs-tools-4.3/debian/patches/0006-uptream-fix-race.patch
--- squashfs-tools-4.3/debian/patches/0006-uptream-fix-race.patch	1970-01-01 00:00:00.000000000 +0000
+++ squashfs-tools-4.3/debian/patches/0006-uptream-fix-race.patch	2017-06-07 17:47:58.000000000 +0000
@@ -0,0 +1,54 @@
+commit de03266983ceb62e5365aac84fcd3b2fd4d16e6f
+Author: Phillip Lougher <phillip@squashfs.org.uk>
+Date:   Thu Sep 18 01:28:11 2014 +0100
+
+    mksquashfs: fix rare race in fragment waiting in filesystem finalisation
+    
+    Fix a rare race condition in fragment waiting when finalising the
+    filesystem.  This is a race condition that was initially fixed in 2009,
+    but inadvertantly re-introduced in the latest release when the code
+    was rewritten.
+    
+    Background:
+    
+    When finalising the filesystem, the main control thread needs to ensure
+    all the in-flight fragments have been queued to the writer thread before
+    asking the writer thread to finish, and then writing the metadata.
+    
+    It does this by waiting on the fragments_outstanding counter.  Once this
+    counter reaches 0, it synchronises with the writer thread, waiting until
+    the writer thread reports no outstanding data to be written.
+    
+    However, the main thread can race with the fragment deflator thread(s)
+    because the fragment deflator thread(s) decrement the fragments_outstanding
+    counter and release the mutex before queueing the compressed fragment
+    to the writer thread, i.e. the offending code is:
+    
+                            fragments_outstanding --;
+                            pthread_mutex_unlock(&fragment_mutex);
+                            queue_put(to_writer, write_buffer);
+    
+    In extremely rare circumstances, the main thread may see the
+    fragments_outstanding counter is zero before the fragment
+    deflator sends the fragment buffer to the writer thread, and synchronise
+    with the writer thread, and finalise before the fragment has been written.
+    
+    The fix is to ensure the fragment is queued to the writer thread
+    before releasing the mutex.
+    
+    Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+
+diff --git a/squashfs-tools/mksquashfs.c b/squashfs-tools/mksquashfs.c
+index 87b7d86..f1fcff1 100644
+--- a/squashfs-tools/mksquashfs.c
++++ b/squashfs-tools/mksquashfs.c
+@@ -2445,8 +2445,8 @@ void *frag_deflator(void *arg)
+ 			write_buffer->block = bytes;
+ 			bytes += compressed_size;
+ 			fragments_outstanding --;
+-			pthread_mutex_unlock(&fragment_mutex);
+ 			queue_put(to_writer, write_buffer);
++			pthread_mutex_unlock(&fragment_mutex);
+ 			TRACE("Writing fragment %lld, uncompressed size %d, "
+ 				"compressed size %d\n", file_buffer->block,
+ 				file_buffer->size, compressed_size);
diff -Nru squashfs-tools-4.3/debian/patches/0007-fix-2GB-limit-in-mksquashfs.patch squashfs-tools-4.3/debian/patches/0007-fix-2GB-limit-in-mksquashfs.patch
--- squashfs-tools-4.3/debian/patches/0007-fix-2GB-limit-in-mksquashfs.patch	1970-01-01 00:00:00.000000000 +0000
+++ squashfs-tools-4.3/debian/patches/0007-fix-2GB-limit-in-mksquashfs.patch	2017-06-07 17:47:58.000000000 +0000
@@ -0,0 +1,27 @@
+From 9c1db6d13a51a2e009f0027ef336ce03624eac0d Mon Sep 17 00:00:00 2001
+From: "Guan, Xin" <guanx.bac@gmail.com>
+Date: Sat, 13 Sep 2014 13:15:26 +0200
+Subject: [PATCH] Fix 2GB-limit of the is_fragment(...) function.
+
+Applies to squashfs-tools 4.3.
+
+Reported-by: Bruno Wolff III <bruno@wolff.to>
+Signed-off-by: Guan, Xin <guanx.bac@gmail.com>
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+---
+ squashfs-tools/mksquashfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/squashfs-tools/mksquashfs.c b/squashfs-tools/mksquashfs.c
+index f1fcff1..d221c35 100644
+--- a/squashfs-tools/mksquashfs.c
++++ b/squashfs-tools/mksquashfs.c
+@@ -2055,7 +2055,7 @@ struct file_info *duplicate(long long file_size, long long bytes,
+ 
+ inline int is_fragment(struct inode_info *inode)
+ {
+-	int file_size = inode->buf.st_size;
++	off_t file_size = inode->buf.st_size;
+ 
+ 	/*
+ 	 * If this block is to be compressed differently to the
diff -Nru squashfs-tools-4.3/debian/patches/series squashfs-tools-4.3/debian/patches/series
--- squashfs-tools-4.3/debian/patches/series	2015-10-20 10:59:24.000000000 +0000
+++ squashfs-tools-4.3/debian/patches/series	2017-06-07 17:47:58.000000000 +0000
@@ -2,3 +2,5 @@
 0002-fix_phys_mem_calculation.patch
 0003-CVE-2015-4645_and_CVE-2015-4646.patch
 0004-unsquashfs-add-support-for-LZMA-magics.patch
+0006-uptream-fix-race.patch
+0007-fix-2GB-limit-in-mksquashfs.patch

--- End Message ---
--- Begin Message --- 
Version: 9.1

Hi,

These bugs all relate to updates which were included in today's stretch
point release.

Regards,

Adam

--- End Message ---
Reply to: