From owner-freebsd-bugs@FreeBSD.ORG Sat Jul 7 19:50:09 2007 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 14D1016A46B for ; Sat, 7 Jul 2007 19:50:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id D2A3713C4B9 for ; Sat, 7 Jul 2007 19:50:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l67Jo8ll044596 for ; Sat, 7 Jul 2007 19:50:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l67Jo80w044595; Sat, 7 Jul 2007 19:50:08 GMT (envelope-from gnats) Resent-Date: Sat, 7 Jul 2007 19:50:08 GMT Resent-Message-Id: <200707071950.l67Jo80w044595@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Craig Rodrigues Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 37F9A16A400 for ; Sat, 7 Jul 2007 19:47:12 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [69.147.83.33]) by mx1.freebsd.org (Postfix) with ESMTP id 285FC13C45B for ; Sat, 7 Jul 2007 19:47:12 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l67JlC14034952 for ; Sat, 7 Jul 2007 19:47:12 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id l67JlB7c034951; Sat, 7 Jul 2007 19:47:12 GMT (envelope-from nobody) Message-Id: <200707071947.l67JlB7c034951@www.freebsd.org> Date: Sat, 7 Jul 2007 19:47:12 GMT From: Craig Rodrigues To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.0 Cc: Subject: kern/114389: MOKB testcase causes kernel to crash in UFS mount code X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jul 2007 19:50:09 -0000 >Number: 114389 >Category: kern >Synopsis: MOKB testcase causes kernel to crash in UFS mount code >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jul 07 19:50:08 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Craig Rodrigues >Release: CURRENT >Organization: >Environment: FreeBSD 7.0-CURRENT FreeBSD 7.0-CURRENT #24: Sat Jul 7 15:09:35 EDT 2007 /usr/obj/usr/src/sys/MYKERNEL1 i386 >Description: The testcase at: http://projects.info-pull.com/mokb/MOKB-08-11-2006.html can cause the kernel to crash in the UFS mount code. >How-To-Repeat: (1) fetch http://projects.info-pull.com/mokb/bug-files/MOKB-08-11-2006.img.bz2 (2) bunzip2 MOKB-08-11-2006.img.bz2 (3) mdconfig -a -t vnode -f ./MOKB-08-11-2006.img -u 0 (4) mount /dev/md0 /mnt >Fix: See attached patch. Patch attached with submission follows: Index: ffs_vnops.c =================================================================== RCS file: /home/ncvs/src/sys/ufs/ffs/ffs_vnops.c,v retrieving revision 1.172 diff -u -u -r1.172 ffs_vnops.c --- ffs_vnops.c 12 Jun 2007 00:12:01 -0000 1.172 +++ ffs_vnops.c 7 Jul 2007 19:46:36 -0000 @@ -1192,14 +1192,18 @@ { struct inode *ip; struct ufs2_dinode *dp; + struct fs *fs; struct uio luio; struct iovec liovec; int easize, error; u_char *eae; ip = VTOI(vp); + fs = ip->i_fs; dp = ip->i_din2; easize = dp->di_extsize; + if ((uoff_t)(easize + extra) > NXADDR * fs->fs_bsize) + return (EFBIG); eae = malloc(easize + extra, M_TEMP, M_WAITOK); >Release-Note: >Audit-Trail: >Unformatted: