Bug 271312 - inum > maxino should probably be inum >= maxino in fsck_ffs
Summary: inum > maxino should probably be inum >= maxino in fsck_ffs
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-fs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-05-08 09:45 UTC by Robert Morris
Modified: 2023-09-02 11:06 UTC (History)
4 users (show)

See Also:


Attachments
broken file system image that causes fsck to crash due to off-by-one maxino check (800.00 KB, application/octet-stream)
2023-05-08 09:45 UTC, Robert Morris
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2023-05-08 09:45:10 UTC
Created attachment 242053 [details]
broken file system image that causes fsck to crash due to off-by-one maxino check

fsck_ffs has some checks for an out-of-range i-number that say "... >
maxino" which I think should be >=.

One consequence is that inoinfo() in fsutil.c can index beyond the end
of inostathead[]:

        if (inum > maxino)
                errx(EEXIT, "inoinfo: inumber %ju out of range",
                    (uintmax_t)inum);
        ilp = &inostathead[inum / sblock.fs_ipg];

A backtrace from fsck_ffs -y on the attached file-system image:

Program received signal SIGBUS, Bus error.
Object-specific hardware error.
0x000000000021f051 in pass2check (idesc=0x7fffffffe7b8) at pass2.c:486
486                     switch (inoinfo(dirp->d_ino)->ino_state) {
(gdb) where
#0  0x000000000021f051 in pass2check (idesc=0x7fffffffe7b8) at pass2.c:486
#1  0x00000000002093e7 in dirscan (idesc=0x7fffffffe7b8) at dir.c:211
#2  0x000000000021318b in ckinode (dp=0x7fffffffe6b8, idesc=0x7fffffffe7b8)
    at inode.c:126
#3  0x000000000021e130 in pass2 () at pass2.c:202
#4  0x0000000000219a7d in checkfilesys (filesys=0x7fffffffed79 "junk")
    at main.c:468
#5  0x0000000000218f42 in main (argc=1, argv=0x7fffffffea28) at main.c:210
Comment 1 commit-hook freebsd_committer freebsd_triage 2023-05-27 23:08:35 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=11ce203e0535c1c8f520c9bda81ab9326cf5db80

commit 11ce203e0535c1c8f520c9bda81ab9326cf5db80
Author:     Kirk McKusick <mckusick@FreeBSD.org>
AuthorDate: 2023-05-27 23:07:09 +0000
Commit:     Kirk McKusick <mckusick@FreeBSD.org>
CommitDate: 2023-05-27 23:07:09 +0000

    Fix a bug in fsck_ffs(8) triggered by corrupted filesystems.

    The last valid inode in the filesystem is maxino - 1, not maxino.
    Thus validity checks should ino < maxino, not ino <= maxino.

    Reported-by:  Robert Morris
    PR:           271312
    MFC-after:    1 week
    Sponsored-by: The FreeBSD Foundation

 sbin/fsck_ffs/dir.c    |  4 ++--
 sbin/fsck_ffs/fsutil.c |  2 +-
 sbin/fsck_ffs/inode.c  | 14 ++++++++------
 sbin/fsck_ffs/pass2.c  |  4 ++--
 4 files changed, 13 insertions(+), 11 deletions(-)
Comment 2 Kirk McKusick freebsd_committer freebsd_triage 2023-05-27 23:45:26 UTC
Fix checked in. Will close when MFC'ed to 13.
Comment 3 commit-hook freebsd_committer freebsd_triage 2023-06-07 23:16:12 UTC
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=fbfbd0638a5a3dd4f76eaf17f81450cc09d48e5b

commit fbfbd0638a5a3dd4f76eaf17f81450cc09d48e5b
Author:     Kirk McKusick <mckusick@FreeBSD.org>
AuthorDate: 2023-05-27 23:07:09 +0000
Commit:     Kirk McKusick <mckusick@FreeBSD.org>
CommitDate: 2023-06-07 22:44:12 +0000

    Fix a bug in fsck_ffs(8) triggered by corrupted filesystems.

    The last valid inode in the filesystem is maxino - 1, not maxino.
    Thus validity checks should ino < maxino, not ino <= maxino.

    Reported-by:  Robert Morris
    PR:           271312
    Sponsored-by: The FreeBSD Foundation

    (cherry picked from commit 11ce203e0535c1c8f520c9bda81ab9326cf5db80)

 sbin/fsck_ffs/dir.c    |  4 ++--
 sbin/fsck_ffs/fsutil.c |  2 +-
 sbin/fsck_ffs/inode.c  | 14 ++++++++------
 sbin/fsck_ffs/pass2.c  |  4 ++--
 4 files changed, 13 insertions(+), 11 deletions(-)
Comment 4 Kirk McKusick freebsd_committer freebsd_triage 2023-06-08 17:06:57 UTC
MFC'ed to 13.
Comment 5 commit-hook freebsd_committer freebsd_triage 2023-09-02 11:02:04 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ccaa547b4d247622e67c5c72fbc629458284a3f7

commit ccaa547b4d247622e67c5c72fbc629458284a3f7
Author:     Marius Halden <marius.halden@modirum.com>
AuthorDate: 2023-09-02 10:59:31 +0000
Commit:     Jochen Neumeister <joneum@FreeBSD.org>
CommitDate: 2023-09-02 11:01:35 +0000

    net-mgmt/nagios-plugins: Update to 2.4.4

    Changelog: https://nagios-plugins.org/nagios-plugins-2-4-4-released/

    PR:     271312
    Sponsored by:   Netzkommune GmbH

 net-mgmt/nagios-plugins/Makefile | 2 +-
 net-mgmt/nagios-plugins/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 6 Jochen Neumeister freebsd_committer freebsd_triage 2023-09-02 11:06:03 UTC
wrong PR in the commit, sorry. i mean 271313