Date: Sat, 06 May 2023 21:00:50 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 271289] off-by-one error in fsck_ffs chkrange() block-number check Message-ID: <bug-271289-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271289 Bug ID: 271289 Summary: off-by-one error in fsck_ffs chkrange() block-number check Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 242024 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D242024&action= =3Dedit broken ffs image that causes off-by-one block-number check error in fsck In this code in src/sbin/fsck_ffs/inode.c, I think the "blk > maxfsblock" should be >=3D. The cnt - 1 ... check also looks off by one. int chkrange(ufs2_daddr_t blk, int cnt) { int c; if (cnt <=3D 0 || blk <=3D 0 || blk > maxfsblock || cnt - 1 > maxfsblock - blk) { if (debug) printf("out of range: blk %ld, offset %i, size %d\n= ", (long)blk, (int)fragnum(&sblock, blk), cnt); return (1); } I've attached a broken file-system image with an i-node that refers to a block number that's one too large (64): % cp fsck4b.img junk % fsck_ffs -y junk On my CURRENT amd64 machine this yields a core dump, due to writing beyond the end of blockmap[] and corrupting the next heap block, which happens to contain a struct inoinfo in inphash[]. valgrind catches the blockmap[] access. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-271289-227>