Date: Mon, 16 May 2022 21:34:06 +0000 From: bugzilla-noreply@freebsd.org To: fs@FreeBSD.org Subject: [Bug 263971] ffs: malicious superblock can cause buffer overflow during tasting: panic: vm_fault_lookup: fault on nofault entry, addr: 0xffffffc07cb67000 Message-ID: <bug-263971-3630-NIOaFUMmOm@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-263971-3630@https.bugs.freebsd.org/bugzilla/> References: <bug-263971-3630@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263971 --- Comment #3 from Robert Morris <rtm@lcs.mit.edu> --- (In reply to Kirk McKusick from comment #1) Even with validate_sblock(), the int32 size in ffs_sbget() can be made to wrap around. I've attached a disk image taste9f.img with fs_cssize 2021359616 fs_contigsumsize -1 ncg 126334728 so that this in ffs_sbget() size =3D fs->fs_cssize; size +=3D fs->fs_ncg * sizeof(u_int8_t); yields size =3D -2147272952 when I run mdconfig -f taste9f.img Then the process hangs in UFS_MALLOC(size). --=20 You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-263971-3630-NIOaFUMmOm>