From owner-freebsd-bugs@FreeBSD.ORG Sat Aug 27 23:50:20 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E12F716A41F for ; Sat, 27 Aug 2005 23:50:20 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5910543D48 for ; Sat, 27 Aug 2005 23:50:20 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j7RNoKeL040964 for ; Sat, 27 Aug 2005 23:50:20 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j7RNoKHe040960; Sat, 27 Aug 2005 23:50:20 GMT (envelope-from gnats) Resent-Date: Sat, 27 Aug 2005 23:50:20 GMT Resent-Message-Id: <200508272350.j7RNoKHe040960@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Dan Lukes Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61A1216A41F for ; Sat, 27 Aug 2005 23:42:10 +0000 (GMT) (envelope-from dan@kulesh.obluda.cz) Received: from kulesh.obluda.cz (kulesh.obluda.cz [193.179.22.243]) by mx1.FreeBSD.org (Postfix) with ESMTP id 28F7B43D46 for ; Sat, 27 Aug 2005 23:42:08 +0000 (GMT) (envelope-from dan@kulesh.obluda.cz) Received: from kulesh.obluda.cz (localhost.eunet.cz [127.0.0.1]) by kulesh.obluda.cz (8.13.4/8.13.4) with ESMTP id j7RNg6w8001491 for ; Sun, 28 Aug 2005 01:42:06 +0200 (CEST) (envelope-from dan@kulesh.obluda.cz) Received: (from root@localhost) by kulesh.obluda.cz (8.13.4/8.13.1/Submit) id j7RNg6kS001490; Sun, 28 Aug 2005 01:42:06 +0200 (CEST) (envelope-from dan) Message-Id: <200508272342.j7RNg6kS001490@kulesh.obluda.cz> Date: Sun, 28 Aug 2005 01:42:06 +0200 (CEST) From: Dan Lukes To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/85365: [ PATCH ] geom_label can cause PANIC during load X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dan Lukes List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Aug 2005 23:50:21 -0000 >Number: 85365 >Category: kern >Synopsis: [ PATCH ] geom_label can cause PANIC during load >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Aug 27 23:50:19 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Dan Lukes >Release: FreeBSD 6.0-BETA3 i386 >Organization: Obludarium >Environment: System: FreeBSD 6.0-BETA3 Sat Aug 27 17:43:26 CEST 2005 i386 sys/geom/label/g_label_ext2fs.c,v 1.1.2.1 2005/08/16 08:20:47 >Description: geom_load can cause kernel panic: panic: wrong offset 1024 for sectorsize 2048 >How-To-Repeat: load geom_label on computer with empty CD ROM device >Fix: The geom_label taste all devices on loading. When tasting a CD ROM with no media, the tasting failed for ISO9660. The code then taste for EXT2FS. It's code issue invalid g_read_data() request catched by KASSERT within g_io_request() The taste routines for other FS may issue similar invalid IO request on consumers with 'bad' sector size also. BTW, the g_label_*fs.c should be rewritten to use apropriate include files (isofs/cd9660/iso.h or gnu/fs/ext2fs/fs.h for example) whenever possible. It's not covered by patches supplied bellow. --- patch begins here --- --- sys/geom/label/g_label_ext2fs.c.ORIG Tue Aug 16 10:20:47 2005 +++ sys/geom/label/g_label_ext2fs.c Sun Aug 28 00:00:24 2005 @@ -58,6 +58,14 @@ pp = cp->provider; label[0] = '\0'; + /* + * Take care not to issue an invalid I/O request. The + * offset of the superblock candidate must be + * multiples of the provider's sector size, otherwise an + * EXT2FS can't exist on the provider anyway. + */ + if (EXT2FS_SB_OFFSET % pp->sectorsize != 0) + return; fs = (e2sb_t *)g_read_data(cp, EXT2FS_SB_OFFSET, pp->sectorsize, NULL); if (fs == NULL) return; --- sys/geom/label/g_label_iso9660.c.ORIG Fri Jul 2 21:40:34 2004 +++ sys/geom/label/g_label_iso9660.c Sun Aug 28 01:12:34 2005 @@ -52,7 +52,20 @@ pp = cp->provider; label[0] = '\0'; - sector = (char *)g_read_data(cp, 0x8000, pp->sectorsize, &error); + /* + * Take care not to issue an invalid I/O request. The + * provider's sector size must be 2048, otherwise an + * CD9660FS can't exist on the provider anyway. + * Well, the standard says this should be 2048 or the + * physical sector size on the device, whichever is greater. + * For now, we'll just use a constant. It follow the logic used + * within cd9660_vfsops.c + * BTW, are we sure we want the label from first found descriptor + * despite of it's type ? And how about SIERRA CD format ? + */ + if (pp->sectorsize != 2048) + return; + sector = (char *)g_read_data(cp, 16*2048, pp->sectorsize, &error); if (sector == NULL || error != 0) return; if (bcmp(sector, ISO9660_MAGIC, sizeof(ISO9660_MAGIC) - 1) != 0) { --- sys/geom/label/g_label_reiserfs.c.ORIG Tue Aug 16 10:20:47 2005 +++ sys/geom/label/g_label_reiserfs.c Sun Aug 28 01:19:05 2005 @@ -53,6 +53,14 @@ { reiserfs_sb_t *fs; + /* + * Take care not to issue an invalid I/O request. The + * offset and len of the superblock candidate must be + * multiples of the provider's sector size, otherwise an + * REISERFS can't exist on the provider anyway. + */ + if (offset % pp->sectorsize != 0 || len % pp->sectorsize != 0) + return (NULL); fs = (reiserfs_sb_t *)g_read_data(cp, offset, len, NULL); if (fs == NULL) return (NULL); --- patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: