From nobody Sun May 14 14:13:49 2023
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QK4HK68L8z4Blbj
	for <bugs@mlmmj.nyi.freebsd.org>; Sun, 14 May 2023 14:13:49 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4QK4HK1MBLz4F6Y
	for <bugs@FreeBSD.org>; Sun, 14 May 2023 14:13:49 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1684073629;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=qe91LAi4wbvmuWWLE5nG8RyIq0cQDAH+TekIy/MXhS0=;
	b=tec4gne6ijXRlGCZom0ZH0FniXxfF7Ld+IrfUD09izP0A0YjHN+0OY/6BXrkMAmkuGenQc
	QUoIVGzM5fOZTak/jlttJbfSRbhHc4JZyh2l4WW5lDqV2j7CAIdEMYlZ5cnWa/ki25YGP2
	GauG/6RFNMDVoL3FhLKV23o9D8F43sqCBiKRYCOAQ92vZ/RlV3/gC+3nuBAhtVTFt6W8R/
	gyx1kE3taRI6kUsxwHZU04wHaQhSdmXqnF3AMk/JCXbAoxzoGr/YS6waOf5Fdlm9C/cXkI
	54EZfk/RgrgEh9L5b7s439wF67ttDQiPajJMF/O6S+wwLb/OkGfT9W1jyVV7fw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1684073629; a=rsa-sha256; cv=none;
	b=mrKm5kBYEkFb6qakkVtxDwoDd2u9hcvsBMfhbVmoa5xyq/x1lrfgEP/EBzv5QhXFmDY/jM
	+zqTCixgxTNcSYSV9k++DiIfWzQj6og4wngIdNkuJxlB1UeJCQJpgJMzTo9cdm2L/6sUyt
	RObEMlknzxXUyEhWhUJNeq6KorHR/IFrFUuDwH3laCLX/LR18hEI2fm6yMYIyEZC/2Mt+B
	HG0yuh0d8RJb09gwbsdh1zgx4oOG6w/wNf1lqEzNOP96p0ITlO5YJnPr9HfnJv1hl/CoyO
	L7UqpR8mWyhcAvAnCiUwLXlHOM1Sg8HWAAwQopQKY8LBOgt5vQxzignd7U9vGQ==
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QK4HK0QCvz126Q
	for <bugs@FreeBSD.org>; Sun, 14 May 2023 14:13:49 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 34EEDn8e096857
	for <bugs@FreeBSD.org>; Sun, 14 May 2023 14:13:49 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 34EEDnOE096856
	for bugs@FreeBSD.org; Sun, 14 May 2023 14:13:49 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 271414] negative root i-node size can cause crash in fsck_ffs's
 iblock() if journaling
Date: Sun, 14 May 2023 14:13:49 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: bin
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: rtm@lcs.mit.edu
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
 attachments.created
Message-ID: <bug-271414-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@freebsd.org
MIME-Version: 1.0
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271414

            Bug ID: 271414
           Summary: negative root i-node size can cause crash in
                    fsck_ffs's iblock() if journaling
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 242168
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D242168&action=
=3Dedit
su+j ffs image with negative length for root i-node, causes fsck_ffs to cra=
sh

The attached file system image has a root inode with length that has
the high bit set. This causes howmany() in the iblock() code here
to be negative, but nif (being 32 bits) ends up positive and big, so the
"for (i =3D nif" passes a too-large i to IBLK().

        if (howmany(isize, sizepb) > NINDIR(&sblock))
                nif =3D NINDIR(&sblock);
        else
                nif =3D howmany(isize, sizepb);
        if (idesc->id_func =3D=3D pass1check && nif < NINDIR(&sblock)) {
                for (i =3D nif; i < NINDIR(&sblock); i++) {
                        if (IBLK(bp, i) =3D=3D 0)

Here's a backtrace from fsck -y on the attached gzipped image:

Program received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
0x0000000000213ddc in iblock (idesc=3D0x7fffffffe7d0, isize=3D-914236762126=
0355008,
type=3D4) at inode.c:213
213                     if (IBLK(bp, i)) {
(gdb) where
#0  0x0000000000213ddc in iblock (idesc=3D0x7fffffffe7d0,=20
    isize=3D-9142367621260355008, type=3D4) at inode.c:213
#1  0x000000000021333b in ckinode (dp=3D0x800a63b80, idesc=3D0x7fffffffe7d0)
    at inode.c:138
#2  0x000000000022526d in suj_check (filesys=3D0x7fffffffed74 "junk")
    at suj.c:2415
#3  0x00000000002195c6 in checkfilesys (filesys=3D0x7fffffffed74 "junk")
    at main.c:356
#4  0x0000000000218f72 in main (argc=3D1, argv=3D0x7fffffffea20) at main.c:=
210

--=20
You are receiving this mail because:
You are the assignee for the bug.=