Date: Mon, 18 Oct 2021 16:03:29 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 259024] ext2_search_dirblock() loops forever if e2d_reclen is zero Message-ID: <bug-259024-227-N3m43OoT2x@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-259024-227@https.bugs.freebsd.org/bugzilla/> References: <bug-259024-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D259024 --- Comment #1 from Fedor Uporov <fsu@FreeBSD.org> --- Hi, Robert. Thanks a lot for reports and images for reproduction. I successfully reproduced current issue on amd64 with crash instead of infi= nity loop: #14 0xffffffff810f1927 in trap (frame=3D0xfffffe00af5eb7b0) at /usr/src/sys/amd64/amd64/trap.c:443 #15 <signal handler called> #16 ext2_search_dirblock (ip=3D<optimized out>, ip@entry=3D0xfffff80004d739= 00, data=3D<optimized out>, foundp=3Dfoundp@entry=3D0xfffffe00af5eb990, name=3D0xfffff80004c87805 "= a", namelen=3D1, entryoffsetinblockp=3D<optimized out>, entryoffsetinblockp@entry=3D0xfffffe00af5eb9dc, offp=3D0xfffffe00af5eb9= e4, prevoffp=3D0xfffffe00af5eb9ac, endusefulp=3D0xfffffe00af5eb9d4, ssp=3D0xfffffe00af5eb978) at /usr/src/sys/fs/ext2fs/ext2_lookup.c:743 #17 0xffffffff82746852 in ext2_lookup_ino (vdp=3D<optimized out>, vpp=3D0xfffffe00af5ebc28, cnp=3D0xfffffe00af5ebc50, dd_ino=3D0x0) at /usr/src/sys/fs/ext2fs/ext2_lookup.c:455 #18 0xffffffff80cf9f16 in VOP_CACHEDLOOKUP (dvp=3D0xfffff800b50d3700, vpp=3D0xfffffe00af5ebc28, cnp=3D0xfffffe00af5ebc50) at ./vnode_if.h:103 #19 vfs_cache_lookup (ap=3D<optimized out>) at /usr/src/sys/kern/vfs_cache.= c:3068 #20 0xffffffff80d0b1e1 in VOP_LOOKUP (dvp=3D0xfffff800b50d3700, vpp=3D0xfffffe00af5ebc28, cnp=3D0xfffffe00af5ebc50) at ./vnode_if.h:69 #21 lookup (ndp=3Dndp@entry=3D0xfffffe00af5ebbd0) at /usr/src/sys/kern/vfs_lookup.c:1128 --Type <RET> for more, q to quit, c to continue without paging-- #22 0xffffffff80d0a0de in namei (ndp=3Dndp@entry=3D0xfffffe00af5ebbd0) at /usr/src/sys/kern/vfs_lookup.c:658 #23 0xffffffff80d29ba2 in kern_statat (td=3D0xfffffe0094b47e40, flag=3D<opt= imized out>, fd=3D-100, path=3D0x8018182f8 <error: Cannot access memory at address 0x8018182f8>, pathseg=3Dpathseg@entry=3DUIO_USERSPACE, sbp=3Dsbp@entry=3D0xfffffe00af5ebd18, hook=3D0x0) at /usr/src/sys/kern/vfs_syscalls.c:2441 Issues 259105, 259107, 259112 were successfully reproduced too. The problem with these sort of issues, I mean malicious images with bad/corrupted metadata, that it is too difficult to make crosscheck of metadata values read from disk. The only way to avoid it, is = to format drive with ext4 metadata_csum (RO_COMPAT_METADATA_CSUM) feature turn= ed on. Need to find a way, how the metadata values, which cause a crashes, could be verified. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-259024-227-N3m43OoT2x>