From owner-freebsd-amd64@freebsd.org  Fri Nov 11 15:11:56 2016
Return-Path: <owner-freebsd-amd64@freebsd.org>
Delivered-To: freebsd-amd64@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE467C3B63E
 for <freebsd-amd64@mailman.ysv.freebsd.org>;
 Fri, 11 Nov 2016 15:11:56 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 94E8B1DFF
 for <freebsd-amd64@FreeBSD.org>; Fri, 11 Nov 2016 15:11:56 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id uABFBuBk086572
 for <freebsd-amd64@FreeBSD.org>; Fri, 11 Nov 2016 15:11:56 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-amd64@FreeBSD.org
Subject: [Bug 214423] dosfs support in libstand is broken since r298230
Date: Fri, 11 Nov 2016 15:11:56 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 11.0-STABLE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: Mikhail.Kupchik@gmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter cc
 attachments.created
Message-ID: <bug-214423-6@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-amd64@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Porting FreeBSD to the AMD64 platform <freebsd-amd64.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-amd64>,
 <mailto:freebsd-amd64-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-amd64/>
List-Post: <mailto:freebsd-amd64@freebsd.org>
List-Help: <mailto:freebsd-amd64-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-amd64>,
 <mailto:freebsd-amd64-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Nov 2016 15:11:56 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D214423

            Bug ID: 214423
           Summary: dosfs support in libstand is broken since r298230
           Product: Base System
           Version: 11.0-STABLE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: Mikhail.Kupchik@gmail.com
                CC: freebsd-amd64@FreeBSD.org
                CC: freebsd-amd64@FreeBSD.org

Created attachment 176899
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D176899&action=
=3Dedit
Patch for lib/libstand/dosfs.c

Support for dosfs filesystem in loader.efi (via libstand) works as expected=
 in
FreeBSD 10.3, but is broken since FreeBSD 11.0.

How to reproduce this problem:
  # cd ~
  # dd if=3D/dev/zero of=3Dmfsroot bs=3D1m count=3D12
  # set MDEV=3D`mdconfig -a -t vnode -f mfsroot`
  # newfs -O 1 /dev/$MDEV
  # mount /dev/$MDEV /mnt
  # mkdir /mnt/dev
  # mkdir /mnt/sbin
  # cp /rescue/sh /mnt/sbin/init
  # umount /mnt
  # mdconfig -d -u $MDEV
  # dd if=3D/dev/zero of=3Dtestbootfs bs=3D1m count=3D128
  # set MDEV=3D`mdconfig -a -t vnode -f testbootfs`
  # gpart create -s gpt $MDEV
  # gpart add -t efi $MDEV
  # newfs_msdos "${MDEV}p1"
  # mount -t msdosfs "/dev/${MDEV}p1" /mnt
  # mkdir /mnt/boot
  # mv mfsroot /mnt/boot/
  # cp /boot/kernel/kernel /mnt/boot/kernel
  # echo 'set vfs.root.mountfrom=3D"ufs:/dev/md0"' > /mnt/boot/loader.rc
  # echo 'load /boot/kernel' >> /mnt/boot/loader.rc
  # echo 'load -t mfsroot /boot/mfsroot' >> /mnt/boot/loader.rc
  # echo 'boot' >> /mnt/boot/loader.rc
  # mkdir -p /mnt/efi/boot
  # cp /boot/loader.efi /mnt/efi/boot/bootx64.efi
  # umount /mnt
  # mdconfig -d -u $MDEV
then write ~/testbootfs to USB thumbdrive and attempt to boot from it in the
UEFI mode.

Expected behavior: normal boot until init.

Actual behavior: when loader is reading kernel from disk, UEFI firmware cra=
shes
due to the heap corruption.

Problem can be reproduced under 12-CURRENT and 11.0-RELEASE-p2. Problem can=
't
be reproduced under 10.3-RELEASE-p11. Bisection shows that problem is relat=
ed
to changes in lib/libstand/dosfs.c made in r298230.

This problem seems to be caused by long disk read (past the end of allocated
buffer) in lib/libstand/dosfs.c:ioread() or device strategy functions calle=
d in
that context.

Attached patch for lib/libstand/dosfs.c fixes this heap corruption (and also
simplifies fetching of the next cluster from FAT cache):

--=20
You are receiving this mail because:
You are on the CC list for the bug.=