Date: Fri, 23 Feb 2024 10:27:16 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 277237] fatblock() should call ulmin() rather than min() Message-ID: <bug-277237-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D277237 Bug ID: 277237 Summary: fatblock() should call ulmin() rather than min() Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu In this line in msdosfs_fat.c's fatblock(): size =3D roundup(min(fatblocksec, pmp->pm_FATsecs - bn) * DEV_BSIZE, pmp->pm_BlkPerSec * DEV_BSIZE); It should probably be ulmin(). I've attached a corrupt FAT32 image that trips over this. FATsecs is 0x100000000, which passes the !=3D 0 test in mountmsdosfs(), but looks like zero when cast to 32 bits to pass to min(). The result is a zero bsize passed to bread() by fillinusemap(), causing bread() to return no error but a bp->b_data that points to unmapped memory. # uname -a FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #17 main-n265546-d06328c37bbc: Tue Sep 26 20:08:23 AST 2023=20=20=20=20 root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 # gunzip fat6a.img.gz # mdconfig -f fat6a.img # mount_msdosfs /dev/md0 /mnt panic: vm_fault_lookup: fault on nofault entry, addr: 0xfffffe0020d3c000 cpuid =3D 4 time =3D 1708682767 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01017f0= 470 vpanic() at vpanic+0x132/frame 0xfffffe01017f05a0 panic() at panic+0x43/frame 0xfffffe01017f0600 vm_fault() at vm_fault+0x18c9/frame 0xfffffe01017f0730 vm_fault_trap() at vm_fault_trap+0x6f/frame 0xfffffe01017f0770 trap_pfault() at trap_pfault+0x24a/frame 0xfffffe01017f07e0 calltrap() at calltrap+0x8/frame 0xfffffe01017f07e0 --- trap 0xc, rip =3D 0xffffffff809dd295, rsp =3D 0xfffffe01017f08b0, rbp = =3D 0xfffffe01017f08e0 --- fillinusemap() at fillinusemap+0x235/frame 0xfffffe01017f08e0 mountmsdosfs() at mountmsdosfs+0x864/frame 0xfffffe01017f0980 msdosfs_mount() at msdosfs_mount+0x45d/frame 0xfffffe01017f0ac0 vfs_domount_first() at vfs_domount_first+0x258/frame 0xfffffe01017f0c00 vfs_domount() at vfs_domount+0x315/frame 0xfffffe01017f0d20 vfs_donmount() at vfs_donmount+0x912/frame 0xfffffe01017f0dc0 sys_nmount() at sys_nmount+0x6c/frame 0xfffffe01017f0e00 amd64_syscall() at amd64_syscall+0x14f/frame 0xfffffe01017f0f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01017f0f30 --- syscall (378, FreeBSD ELF64, nmount), rip =3D 0x16e644522a2a, rsp =3D 0x16e6425ccb58, rbp =3D 0x16e6425cd1d0 --- --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-277237-227>