Date: Tue, 9 May 2023 20:09:10 GMT From: Kirk McKusick <mckusick@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: b3fe5d932264 - main - Fix off-by-one error in fsck_ffs(8) chkrange() block-number check. Message-ID: <202305092009.349K9AtK077030@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by mckusick: URL: https://cgit.FreeBSD.org/src/commit/?id=b3fe5d932264445cbf9a1c4eab01afb6179b499b commit b3fe5d932264445cbf9a1c4eab01afb6179b499b Author: Kirk McKusick <mckusick@FreeBSD.org> AuthorDate: 2023-05-09 20:08:10 +0000 Commit: Kirk McKusick <mckusick@FreeBSD.org> CommitDate: 2023-05-09 20:08:10 +0000 Fix off-by-one error in fsck_ffs(8) chkrange() block-number check. On an amd64-CURRENT machine with an i-node that refers to a block number that is one too large will cause a core dump, due to writing beyond the end of blockmap[] and corrupting the next heap block, which happens to contain a struct inoinfo in inphash[]. Note that valgrind catches the blockmap[] access. Reported by: Robert Morris PR: 271289 MFC after: 1 week Sponsored by: The FreeBSD Foundation --- sbin/fsck_ffs/inode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sbin/fsck_ffs/inode.c b/sbin/fsck_ffs/inode.c index 04891447254e..00a60157138c 100644 --- a/sbin/fsck_ffs/inode.c +++ b/sbin/fsck_ffs/inode.c @@ -381,8 +381,8 @@ chkrange(ufs2_daddr_t blk, int cnt) { int c; - if (cnt <= 0 || blk <= 0 || blk > maxfsblock || - cnt - 1 > maxfsblock - blk) { + if (cnt <= 0 || blk <= 0 || blk >= maxfsblock || + cnt > maxfsblock - blk) { if (debug) printf("out of range: blk %ld, offset %i, size %d\n", (long)blk, (int)fragnum(&sblock, blk), cnt);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202305092009.349K9AtK077030>