Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 14 May 2023 14:13:49 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 271414] negative root i-node size can cause crash in fsck_ffs's iblock() if journaling
Message-ID:  <bug-271414-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271414

            Bug ID: 271414
           Summary: negative root i-node size can cause crash in
                    fsck_ffs's iblock() if journaling
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 242168
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D242168&action=
=3Dedit
su+j ffs image with negative length for root i-node, causes fsck_ffs to cra=
sh

The attached file system image has a root inode with length that has
the high bit set. This causes howmany() in the iblock() code here
to be negative, but nif (being 32 bits) ends up positive and big, so the
"for (i =3D nif" passes a too-large i to IBLK().

        if (howmany(isize, sizepb) > NINDIR(&sblock))
                nif =3D NINDIR(&sblock);
        else
                nif =3D howmany(isize, sizepb);
        if (idesc->id_func =3D=3D pass1check && nif < NINDIR(&sblock)) {
                for (i =3D nif; i < NINDIR(&sblock); i++) {
                        if (IBLK(bp, i) =3D=3D 0)

Here's a backtrace from fsck -y on the attached gzipped image:

Program received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
0x0000000000213ddc in iblock (idesc=3D0x7fffffffe7d0, isize=3D-914236762126=
0355008,
type=3D4) at inode.c:213
213                     if (IBLK(bp, i)) {
(gdb) where
#0  0x0000000000213ddc in iblock (idesc=3D0x7fffffffe7d0,=20
    isize=3D-9142367621260355008, type=3D4) at inode.c:213
#1  0x000000000021333b in ckinode (dp=3D0x800a63b80, idesc=3D0x7fffffffe7d0)
    at inode.c:138
#2  0x000000000022526d in suj_check (filesys=3D0x7fffffffed74 "junk")
    at suj.c:2415
#3  0x00000000002195c6 in checkfilesys (filesys=3D0x7fffffffed74 "junk")
    at main.c:356
#4  0x0000000000218f72 in main (argc=3D1, argv=3D0x7fffffffea20) at main.c:=
210

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-271414-227>