Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 12 May 2023 19:29:08 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 271383] negative jb_blk in a JOP_FREEBLK ffs journal record can cause fsck to crash
Message-ID:  <bug-271383-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271383

            Bug ID: 271383
           Summary: negative jb_blk in a JOP_FREEBLK ffs journal record
                    can cause fsck to crash
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 242135
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D242135&action=
=3Dedit
broken ffs image with negative jb_blk that can cause fsck to crash

I've attached a gzipped ffs image with a negative block number
in a journal record which causes ffs_isblock() to index into its cp[]
argument with a negative index. You may need valgrind to see the problem. A
backtrace from fsck_ffs -y fsck24a.img:

(gdb) where
#0  ffs_isblock (fs=3D<optimized out>, cp=3D0x800a370d8 "", h=3D-240) at
/usr/src/sys/ufs/ffs/ffs_subr.c:922
#1  0x0000000000227b10 in blk_isfree (bno=3D-9204789740589546200) at suj.c:=
523
#2  0x000000000022781c in blk_isindir (blk=3D-9204789740589546200, ino=3D3,
lbn=3D-4611686018427387913) at suj.c:377
#3  0x00000000002273eb in indir_visit (ino=3D3, lbn=3D-4611686018427387913,
blk=3D-9204789740589546200, frags=3D0x7fffffffe668, visitor=3D0x229180
<blk_free_visit>, flags=3D1) at suj.c:728
#4  0x000000000022bb6e in blk_free_lbn (blk=3D-9204789740589546200, ino=3D3,
lbn=3D-4611686018427387913, frags=3D8, follow=3D1) at suj.c:917
#5  0x000000000022b9c9 in blk_check (sblk=3D0x800a93030) at suj.c:1541
#6  0x0000000000227195 in cg_check_blk (sc=3D0x800a888c0) at suj.c:1612
#7  0x0000000000226dc5 in cg_apply (apply=3D0x227150 <cg_check_blk>) at
suj.c:1638
#8  0x0000000000225571 in suj_check (filesys=3D0x7fffffffed71 "junk") at
suj.c:2461
#9  0x00000000002195c6 in checkfilesys (filesys=3D0x7fffffffed71 "junk") at
main.c:356
#10 0x0000000000218f72 in main (argc=3D1, argv=3D0x7fffffffea20) at main.c:=
210

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-271383-227>