Date: Wed, 06 Oct 2021 09:26:33 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 258960] mounting a corrupt FAT32 disk can consume all memory Message-ID: <bug-258960-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258960 Bug ID: 258960 Summary: mounting a corrupt FAT32 disk can consume all memory Product: Base System Version: 13.0-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #228476 text/plain mime type: Created attachment 228476 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D228476&action= =3Dedit Program to generate a FAT32 image that causes mount_msdosfs to allocate huge amounts of memory. I've attached a program that generates a FAT32 disk image that, when mounted, causes the kernel's msdosfs_mount() to try to allocate 1000 GB of memory. On my machine this ends up killing every process due to lack of swap. I don't think the mount process itself can be killed, so it's a fairly fatal condition. The cause is some parameters in the FAT32 image that have outrageous values, for example the "total logical sectors" at BPB offset 0x020 is 120 million, much larger than the actual disk image. msdosfs_mount() allocates an amount of memory derived from pmp->maxcluster, which is the product of some of these huge values: pmp->pm_inusemap =3D malloc(howmany(pmp->pm_maxcluster + 1, N_INUSEBITS) * sizeof(*pmp->pm_inusemap), M_MSDOSFSFAT, M_WAITOK); Here's how to produce and mount an image that causes this problem, using the attached fat323.c program: % cc fat323.c % ./a.out % sudo mdconfig -f fat323.img % sudo mount_msdosfs /dev/md0 /mnt My machine runs FreeBSD xxx 13.0-RELEASE-p4 FreeBSD 13.0-RELEASE-p4 #0: Tue= Aug 24 07:33:27 UTC 2021=20=20=20=20 root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC= =20 amd64 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-258960-227>