Bug 271383 - negative jb_blk in a JOP_FREEBLK ffs journal record can cause fsck to crash
Summary: negative jb_blk in a JOP_FREEBLK ffs journal record can cause fsck to crash
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-fs (Nobody)
URL:
Keywords: crash
Depends on:
Blocks:
 
Reported: 2023-05-12 19:29 UTC by Robert Morris
Modified: 2023-06-08 17:21 UTC (History)
3 users (show)

See Also:

Attachments
broken ffs image with negative jb_blk that can cause fsck to crash (17.62 KB, application/x-gzip)
2023-05-12 19:29 UTC, Robert Morris 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2023-05-12 19:29:08 UTC 
Created attachment 242135 [details]
broken ffs image with negative jb_blk that can cause fsck to crash

I've attached a gzipped ffs image with a negative block number
in a journal record which causes ffs_isblock() to index into its cp[]
argument with a negative index. You may need valgrind to see the problem. A
backtrace from fsck_ffs -y fsck24a.img:

(gdb) where
#0  ffs_isblock (fs=<optimized out>, cp=0x800a370d8 "", h=-240) at /usr/src/sys/ufs/ffs/ffs_subr.c:922
#1  0x0000000000227b10 in blk_isfree (bno=-9204789740589546200) at suj.c:523
#2  0x000000000022781c in blk_isindir (blk=-9204789740589546200, ino=3, lbn=-4611686018427387913) at suj.c:377
#3  0x00000000002273eb in indir_visit (ino=3, lbn=-4611686018427387913, blk=-9204789740589546200, frags=0x7fffffffe668, visitor=0x229180 <blk_free_visit>, flags=1) at suj.c:728
#4  0x000000000022bb6e in blk_free_lbn (blk=-9204789740589546200, ino=3, lbn=-4611686018427387913, frags=8, follow=1) at suj.c:917
#5  0x000000000022b9c9 in blk_check (sblk=0x800a93030) at suj.c:1541
#6  0x0000000000227195 in cg_check_blk (sc=0x800a888c0) at suj.c:1612
#7  0x0000000000226dc5 in cg_apply (apply=0x227150 <cg_check_blk>) at suj.c:1638
#8  0x0000000000225571 in suj_check (filesys=0x7fffffffed71 "junk") at suj.c:2461
#9  0x00000000002195c6 in checkfilesys (filesys=0x7fffffffed71 "junk") at main.c:356
#10 0x0000000000218f72 in main (argc=1, argv=0x7fffffffea20) at main.c:210
Comment 1 commit-hook freebsd_committer freebsd_triage 2023-05-28 22:24:44 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=b796bfce48698449470b751de6b0d96ae7047202

commit b796bfce48698449470b751de6b0d96ae7047202
Author:     Kirk McKusick <mckusick@FreeBSD.org>
AuthorDate: 2023-05-28 22:23:16 +0000
Commit:     Kirk McKusick <mckusick@FreeBSD.org>
CommitDate: 2023-05-28 22:23:37 +0000

    Fix a bug in fsck_ffs(8) triggered by corrupted filesystems.

    Check for valid block numbers while loading journal entries that
    contain block numbers. If an invalid block number is found, fall
    back to full fsck.

    Reported-by:  Robert Morris
    PR:           271383
    MFC-after:    1 week
    Sponsored-by: The FreeBSD Foundation

 sbin/fsck_ffs/suj.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
Comment 2 Kirk McKusick freebsd_committer freebsd_triage 2023-05-28 22:34:42 UTC 
Fix checked in. Will close when MFC'ed to 13.
Comment 3 commit-hook freebsd_committer freebsd_triage 2023-06-07 23:16:09 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=da8749afdca81a435b76f8f54e7642e5ee232958

commit da8749afdca81a435b76f8f54e7642e5ee232958
Author:     Kirk McKusick <mckusick@FreeBSD.org>
AuthorDate: 2023-05-28 22:23:16 +0000
Commit:     Kirk McKusick <mckusick@FreeBSD.org>
CommitDate: 2023-06-07 22:48:47 +0000

    Fix a bug in fsck_ffs(8) triggered by corrupted filesystems.

    Reported-by:  Robert Morris
    PR:           271383
    Sponsored-by: The FreeBSD Foundation

    (cherry picked from commit b796bfce48698449470b751de6b0d96ae7047202)

 sbin/fsck_ffs/suj.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
Comment 4 Kirk McKusick freebsd_committer freebsd_triage 2023-06-08 17:21:05 UTC 
MFC'ed to 13.