From nobody Wed Oct  6 09:26:33 2021
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 92EAD17EF144
	for <bugs@mlmmj.nyi.freebsd.org>; Wed,  6 Oct 2021 09:26:33 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HPTbs3bgXz4gJ9
	for <bugs@FreeBSD.org>; Wed,  6 Oct 2021 09:26:33 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5C7CF1D95B
	for <bugs@FreeBSD.org>; Wed,  6 Oct 2021 09:26:33 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 1969QXjE004243
	for <bugs@FreeBSD.org>; Wed, 6 Oct 2021 09:26:33 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 1969QXC1004242
	for bugs@FreeBSD.org; Wed, 6 Oct 2021 09:26:33 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 258960] mounting a corrupt FAT32 disk can consume all memory
Date: Wed, 06 Oct 2021 09:26:33 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 13.0-RELEASE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: rtm@lcs.mit.edu
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
 attachments.mimetype attachments.created
Message-ID: <bug-258960-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@freebsd.org
MIME-Version: 1.0
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258960

            Bug ID: 258960
           Summary: mounting a corrupt FAT32 disk can consume all memory
           Product: Base System
           Version: 13.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #228476 text/plain
         mime type:

Created attachment 228476
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D228476&action=
=3Dedit
Program to generate a FAT32 image that causes mount_msdosfs to allocate huge
amounts of memory.

I've attached a program that generates a FAT32 disk image that, when
mounted, causes the kernel's msdosfs_mount() to try to allocate 1000
GB of memory. On my machine this ends up killing every process due to
lack of swap. I don't think the mount process itself can be killed, so
it's a fairly fatal condition. The cause is some parameters in the
FAT32 image that have outrageous values, for example the "total
logical sectors" at BPB offset 0x020 is 120 million, much larger than
the actual disk image. msdosfs_mount() allocates an amount of memory
derived from pmp->maxcluster, which is the product of some of these
huge values:

    pmp->pm_inusemap =3D malloc(howmany(pmp->pm_maxcluster + 1, N_INUSEBITS)
                  * sizeof(*pmp->pm_inusemap),
                  M_MSDOSFSFAT, M_WAITOK);

Here's how to produce and mount an image that causes this problem,
using the attached fat323.c program:

% cc fat323.c
% ./a.out
% sudo mdconfig -f fat323.img
% sudo mount_msdosfs /dev/md0 /mnt

My machine runs FreeBSD xxx 13.0-RELEASE-p4 FreeBSD 13.0-RELEASE-p4 #0: Tue=
 Aug
24 07:33:27 UTC 2021=20=20=20=20
root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC=
=20
amd64

--=20
You are receiving this mail because:
You are the assignee for the bug.=