Date: Wed, 10 May 2023 15:02:25 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 271351] fsck_ffs can crash if fs_size < fs_ncg*fs_fpg Message-ID: <bug-271351-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271351 Bug ID: 271351 Summary: fsck_ffs can crash if fs_size < fs_ncg*fs_fpg Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 242107 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D242107&action= =3Dedit broken image that causes fsck_ffs to crash due to fs_size < fs_ncg*fs_fpg These two checks in ffs_subr.c's validate_sblock(): FCHK(fs->fs_size, <=3D, ((int64_t)fs->fs_ncg - 1) * fs->fs_= fpg, %jd); and=20 FCHK(fs->fs_size, <=3D, ((int64_t)fs->fs_ncg - 1) * fs->fs_fpg, %jd= ); allow fs_size to be smaller than fs_ncg*fs_fpg. For example, if fs_ncg is 1, then the test only requires fs_size to be > 0. validate_sblock() checks fs_csaddr against fs_ncg*fs_fpg, and thus fs_csaddr can point beyond fs_size. As a result, a too-large value of fs_csaddr can cause this code in fsck_ffs's pass1() to write beyond the end of blockmap, whose size is determined by fs_size: i =3D sblock.fs_csaddr; cgd =3D i + howmany(sblock.fs_cssize, sblock.fs_fsize); for (; i < cgd; i++) setbmap(i); I've attached a file system image that causes fsck_ffs -y to either dump core or fail valgrind. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-271351-227>