From owner-freebsd-bugs@FreeBSD.ORG Tue Aug 30 18:30:24 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A6B316A41F for ; Tue, 30 Aug 2005 18:30:24 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEBF243D6B for ; Tue, 30 Aug 2005 18:30:21 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j7UIULJw075303 for ; Tue, 30 Aug 2005 18:30:21 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j7UIULPb075302; Tue, 30 Aug 2005 18:30:21 GMT (envelope-from gnats) Resent-Date: Tue, 30 Aug 2005 18:30:21 GMT Resent-Message-Id: <200508301830.j7UIULPb075302@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Nate Eldredge Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC05A16A425 for ; Tue, 30 Aug 2005 18:20:20 +0000 (GMT) (envelope-from nge@cs.hmc.edu) Received: from smtp101.sbc.mail.mud.yahoo.com (smtp101.sbc.mail.mud.yahoo.com [68.142.198.200]) by mx1.FreeBSD.org (Postfix) with SMTP id E30E443F91 for ; Tue, 30 Aug 2005 18:13:29 +0000 (GMT) (envelope-from nge@cs.hmc.edu) Received: (qmail 83392 invoked from network); 30 Aug 2005 18:13:20 -0000 Received: from unknown (HELO mercury.lan) (nattylite@sbcglobal.net@63.206.48.95 with login) by smtp101.sbc.mail.mud.yahoo.com with SMTP; 30 Aug 2005 18:13:20 -0000 Received: from mercury.lan (localhost [127.0.0.1]) by mercury.lan (8.13.3/8.13.3) with ESMTP id j7UIDJj3020516 for ; Tue, 30 Aug 2005 11:13:19 -0700 (PDT) (envelope-from nate@mercury.lan) Received: (from nate@localhost) by mercury.lan (8.13.3/8.13.3/Submit) id j7UIDIAw020515; Tue, 30 Aug 2005 11:13:18 -0700 (PDT) (envelope-from nate) Message-Id: <200508301813.j7UIDIAw020515@mercury.lan> Date: Tue, 30 Aug 2005 11:13:18 -0700 (PDT) From: Nate Eldredge To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: bin/85494: fsck_ffs: unchecked use of cg_inosused macro etc. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Nate Eldredge List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Aug 2005 18:30:24 -0000 >Number: 85494 >Category: bin >Synopsis: fsck_ffs: unchecked use of cg_inosused macro etc. >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Aug 30 18:30:21 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Nate Eldredge >Release: FreeBSD 5.4-RELEASE-p3 i386 >Organization: >Environment: System: FreeBSD mercury.lan 5.4-RELEASE-p3 FreeBSD 5.4-RELEASE-p3 #1: Wed Jun 29 18:04:58 PDT 2005 nate@mercury.lan:/medium/obj/medium/src/sys/MERCURY i386 >Description: When fsck_ffs is checking a file system, one of the passes is to check the cylinder groups and see if the various bitmaps are correct. For example, on line 325 of pass5.c it looks at cg_inosused(cg). cg has been read from the disk, and cg_inosused is a pointer to cg->cg_iusedoff bytes past cg. (Defined in .) Presumably the inosused bitmap is supposed to be in the same block as the cg structure. However, if the cylinder group header is corrupt, cg->cg_iusedoff could be anything and thus cg_inosused(cg) will be a bogus pointer, and fsck_ffs will crash. Possibly there is no reasonable way for fsck_ffs to handle such corruption, but it still shouldn't segfault IMHO. Other uses of the cg_* macros are also suspect, and there may be other errors of the same sort throughout fsck. dumpfs has similar bugs. >How-To-Repeat: I have a filesystem image which crashes fsck_ffs because of this bug. However, the image is 1G and may contain some sensitive data (it's a corrupt /var) so I would rather not make it available. I can try to explain the problem further if necessary. >Fix: Check cg->iusedoff for sanity before trying to use it. For instance, make sure it points within the block that's been read from the disk. >Release-Note: >Audit-Trail: >Unformatted: