Bug 271289 - off-by-one error in fsck_ffs chkrange() block-number check
Summary: off-by-one error in fsck_ffs chkrange() block-number check
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-fs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-05-06 21:00 UTC by Robert Morris
Modified: 2023-05-20 00:07 UTC (History)
4 users (show)

See Also:

Attachments
broken ffs image that causes off-by-one block-number check error in fsck (800.00 KB, application/octet-stream)
2023-05-06 21:00 UTC, Robert Morris 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2023-05-06 21:00:50 UTC 
Created attachment 242024 [details]
broken ffs image that causes off-by-one block-number check error in fsck

In this code in src/sbin/fsck_ffs/inode.c, I think the "blk >
maxfsblock" should be >=. The cnt - 1 ... check also looks off by one.

int
chkrange(ufs2_daddr_t blk, int cnt)
{
        int c;

        if (cnt <= 0 || blk <= 0 || blk > maxfsblock ||
            cnt - 1 > maxfsblock - blk) {
                if (debug)
                        printf("out of range: blk %ld, offset %i, size %d\n",
                            (long)blk, (int)fragnum(&sblock, blk), cnt);
                return (1);
        }

I've attached a broken file-system image with an i-node that refers to
a block number that's one too large (64):

% cp fsck4b.img junk
% fsck_ffs -y junk

On my CURRENT amd64 machine this yields a core dump, due to writing
beyond the end of blockmap[] and corrupting the next heap block, which
happens to contain a struct inoinfo in inphash[]. valgrind catches
the blockmap[] access.
Comment 1 commit-hook freebsd_committer freebsd_triage 2023-05-09 20:09:45 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=b3fe5d932264445cbf9a1c4eab01afb6179b499b

commit b3fe5d932264445cbf9a1c4eab01afb6179b499b
Author:     Kirk McKusick <mckusick@FreeBSD.org>
AuthorDate: 2023-05-09 20:08:10 +0000
Commit:     Kirk McKusick <mckusick@FreeBSD.org>
CommitDate: 2023-05-09 20:08:10 +0000

    Fix off-by-one error in fsck_ffs(8) chkrange() block-number check.

    On an amd64-CURRENT machine with an i-node that refers to a block
    number that is one too large will cause a core dump, due to writing
    beyond the end of blockmap[] and corrupting the next heap block,
    which happens to contain a struct inoinfo in inphash[]. Note that
    valgrind catches the blockmap[] access.

    Reported by:  Robert Morris
    PR:           271289
    MFC after:    1 week
    Sponsored by: The FreeBSD Foundation

 sbin/fsck_ffs/inode.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
Comment 2 Kirk McKusick freebsd_committer freebsd_triage 2023-05-09 23:16:01 UTC 
Suggested change made.
Will close after MFC to 13.
Comment 3 commit-hook freebsd_committer freebsd_triage 2023-05-19 23:55:08 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=8e0b31c791cf1da6d9fda3da9999e66a5e162230

commit 8e0b31c791cf1da6d9fda3da9999e66a5e162230
Author:     Kirk McKusick <mckusick@FreeBSD.org>
AuthorDate: 2023-05-09 20:08:10 +0000
Commit:     Kirk McKusick <mckusick@FreeBSD.org>
CommitDate: 2023-05-19 23:02:21 +0000

    Fix off-by-one error in fsck_ffs(8) chkrange() block-number check.

    PR:           271289

    (cherry picked from commit b3fe5d932264445cbf9a1c4eab01afb6179b499b)

 sbin/fsck_ffs/inode.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
Comment 4 Kirk McKusick freebsd_committer freebsd_triage 2023-05-20 00:07:58 UTC 
MFC'ed to 13.