From nobody Fri Feb 23 10:27:16 2024 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Th5mN4Gq6z5CC9F for ; Fri, 23 Feb 2024 10:27:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Th5mN2PmCz4Tgh for ; Fri, 23 Feb 2024 10:27:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1708684036; a=rsa-sha256; cv=none; b=VeN6TFMckTpNQ73g1CJteqIOri9KkOzEnsc/GSHyfZ+C8wh3N9ln2J0WkMRXpR+V/0RSUP 0pCgaMAWtLWgC/EfYTO9MEugH0uZd2BAdAGV8bIhfxBVdOMGoJcIcX7FJVkoXuQ48jH4nx SoD0Kp3HQ+dl8L4mCAuhi8Xta6KN/EheuW/pwJ47fW+Lj98uZ1/iIZpu8VRQNG0MfIp0vG SM5uIMuG3xdDlEjuPpn6bLpm7gNygsynoDvreIYafZtP7zH80hlJtFrF4PMVaS9BEda3WH ZI9oNNRyeYNia5829N+FSVLwdZI+KxpUAHZO2o8tipd0KquqxowJBoJL0COE0A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1708684036; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zQ8Yfd40w9KTu9lujwVitMtx319/pL2X5p1aHs3qGW4=; b=yA/DPiS3shgBYa38QdHVa0WSZg9DpJ7DL7A1ROBno5FgX4jCGcNg25U9LGP+ppoyLvf5v1 shzp6PEweSBIo7B0DezaQyMFW9dW9A64jH70r/pFB4bFeVyDlnO+CD3dTubSLQUvmd7r5s kovEQeSc5dJ+4539Sp7DxxWa3LhdZBFk7vIAt8qFtWbOJdM2VLgBPyKQzSFxwUSyrgJ5KA SetiyAzG1y0l08LCQDKS7V4R5gSlCjKHvaHjUmIrzNwJgdTZmTjm6hQ2bvBAe5Kp1YZFEZ ZEQobtMJ69wt474ne41B8J4lUfqLTv7J/96XK52YzZ90XMdEO0i2LueHv3g4iA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Th5mN1SkYz1BYf for ; Fri, 23 Feb 2024 10:27:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 41NARGNo074361 for ; Fri, 23 Feb 2024 10:27:16 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 41NARGo5074360 for bugs@FreeBSD.org; Fri, 23 Feb 2024 10:27:16 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 277237] fatblock() should call ulmin() rather than min() Date: Fri, 23 Feb 2024 10:27:16 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rtm@lcs.mit.edu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D277237 Bug ID: 277237 Summary: fatblock() should call ulmin() rather than min() Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu In this line in msdosfs_fat.c's fatblock(): size =3D roundup(min(fatblocksec, pmp->pm_FATsecs - bn) * DEV_BSIZE, pmp->pm_BlkPerSec * DEV_BSIZE); It should probably be ulmin(). I've attached a corrupt FAT32 image that trips over this. FATsecs is 0x100000000, which passes the !=3D 0 test in mountmsdosfs(), but looks like zero when cast to 32 bits to pass to min(). The result is a zero bsize passed to bread() by fillinusemap(), causing bread() to return no error but a bp->b_data that points to unmapped memory. # uname -a FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #17 main-n265546-d06328c37bbc: Tue Sep 26 20:08:23 AST 2023=20=20=20=20 root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 # gunzip fat6a.img.gz # mdconfig -f fat6a.img # mount_msdosfs /dev/md0 /mnt panic: vm_fault_lookup: fault on nofault entry, addr: 0xfffffe0020d3c000 cpuid =3D 4 time =3D 1708682767 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01017f0= 470 vpanic() at vpanic+0x132/frame 0xfffffe01017f05a0 panic() at panic+0x43/frame 0xfffffe01017f0600 vm_fault() at vm_fault+0x18c9/frame 0xfffffe01017f0730 vm_fault_trap() at vm_fault_trap+0x6f/frame 0xfffffe01017f0770 trap_pfault() at trap_pfault+0x24a/frame 0xfffffe01017f07e0 calltrap() at calltrap+0x8/frame 0xfffffe01017f07e0 --- trap 0xc, rip =3D 0xffffffff809dd295, rsp =3D 0xfffffe01017f08b0, rbp = =3D 0xfffffe01017f08e0 --- fillinusemap() at fillinusemap+0x235/frame 0xfffffe01017f08e0 mountmsdosfs() at mountmsdosfs+0x864/frame 0xfffffe01017f0980 msdosfs_mount() at msdosfs_mount+0x45d/frame 0xfffffe01017f0ac0 vfs_domount_first() at vfs_domount_first+0x258/frame 0xfffffe01017f0c00 vfs_domount() at vfs_domount+0x315/frame 0xfffffe01017f0d20 vfs_donmount() at vfs_donmount+0x912/frame 0xfffffe01017f0dc0 sys_nmount() at sys_nmount+0x6c/frame 0xfffffe01017f0e00 amd64_syscall() at amd64_syscall+0x14f/frame 0xfffffe01017f0f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01017f0f30 --- syscall (378, FreeBSD ELF64, nmount), rip =3D 0x16e644522a2a, rsp =3D 0x16e6425ccb58, rbp =3D 0x16e6425cd1d0 --- --=20 You are receiving this mail because: You are the assignee for the bug.=