Date: Wed, 10 May 2023 15:02:25 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 271351] fsck_ffs can crash if fs_size < fs_ncg*fs_fpg Message-ID: <bug-271351-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271351 Bug ID: 271351 Summary: fsck_ffs can crash if fs_size < fs_ncg*fs_fpg Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 242107 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=242107&action=edit broken image that causes fsck_ffs to crash due to fs_size < fs_ncg*fs_fpg These two checks in ffs_subr.c's validate_sblock(): FCHK(fs->fs_size, <=, ((int64_t)fs->fs_ncg - 1) * fs->fs_fpg, %jd); and FCHK(fs->fs_size, <=, ((int64_t)fs->fs_ncg - 1) * fs->fs_fpg, %jd); allow fs_size to be smaller than fs_ncg*fs_fpg. For example, if fs_ncg is 1, then the test only requires fs_size to be > 0. validate_sblock() checks fs_csaddr against fs_ncg*fs_fpg, and thus fs_csaddr can point beyond fs_size. As a result, a too-large value of fs_csaddr can cause this code in fsck_ffs's pass1() to write beyond the end of blockmap, whose size is determined by fs_size: i = sblock.fs_csaddr; cgd = i + howmany(sblock.fs_cssize, sblock.fs_fsize); for (; i < cgd; i++) setbmap(i); I've attached a file system image that causes fsck_ffs -y to either dump core or fail valgrind. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-271351-227>