271414 – negative root i-node size can cause crash in fsck_ffs's iblock() if journaling

Bug 271414 - negative root i-node size can cause crash in fsck_ffs's iblock() if journaling

Summary: negative root i-node size can cause crash in fsck_ffs's iblock() if journaling

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	freebsd-fs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-05-14 14:13 UTC by Robert Morris
Modified:	2023-06-08 17:21 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
su+j ffs image with negative length for root i-node, causes fsck_ffs to crash (17.64 KB, application/x-gzip) 2023-05-14 14:13 UTC, Robert Morris	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Morris 2023-05-14 14:13:49 UTC

Created attachment 242168 [details]
su+j ffs image with negative length for root i-node, causes fsck_ffs to crash

The attached file system image has a root inode with length that has
the high bit set. This causes howmany() in the iblock() code here
to be negative, but nif (being 32 bits) ends up positive and big, so the
"for (i = nif" passes a too-large i to IBLK().

        if (howmany(isize, sizepb) > NINDIR(&sblock))
                nif = NINDIR(&sblock);
        else
                nif = howmany(isize, sizepb);
        if (idesc->id_func == pass1check && nif < NINDIR(&sblock)) {
                for (i = nif; i < NINDIR(&sblock); i++) {
                        if (IBLK(bp, i) == 0)

Here's a backtrace from fsck -y on the attached gzipped image:

Program received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
0x0000000000213ddc in iblock (idesc=0x7fffffffe7d0, isize=-9142367621260355008, type=4) at inode.c:213
213                     if (IBLK(bp, i)) {
(gdb) where
#0  0x0000000000213ddc in iblock (idesc=0x7fffffffe7d0, 
    isize=-9142367621260355008, type=4) at inode.c:213
#1  0x000000000021333b in ckinode (dp=0x800a63b80, idesc=0x7fffffffe7d0)
    at inode.c:138
#2  0x000000000022526d in suj_check (filesys=0x7fffffffed74 "junk")
    at suj.c:2415
#3  0x00000000002195c6 in checkfilesys (filesys=0x7fffffffed74 "junk")
    at main.c:356
#4  0x0000000000218f72 in main (argc=1, argv=0x7fffffffea20) at main.c:210

Comment 1 commit-hook freebsd_committer

2023-05-29 21:59:42 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=6a71277c3037df2c3a70464c2e2bf20dec2c128a

commit 6a71277c3037df2c3a70464c2e2bf20dec2c128a
Author:     Kirk McKusick <mckusick@FreeBSD.org>
AuthorDate: 2023-05-29 21:58:20 +0000
Commit:     Kirk McKusick <mckusick@FreeBSD.org>
CommitDate: 2023-05-29 21:58:20 +0000

    Fix a bug in fsck_ffs(8) triggered by corrupted filesystems.

    When loading the root directory ensure that it is a directory
    and has a size greater than the minimum directory size. If an
    invalid root directory is found, fall back to full fsck.

    Reported-by:  Robert Morris
    PR:           271414
    MFC-after:    1 week
    Sponsored-by: The FreeBSD Foundation

 sbin/fsck_ffs/suj.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

Comment 2 Kirk McKusick freebsd_committer

2023-05-29 22:01:41 UTC

Fix checked in. Will close when MFC'ed to 13.

Comment 3 commit-hook freebsd_committer

2023-06-07 23:16:11 UTC

A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=a4bea5c479d84d5fb10c6d78abce504253fe8e1d

commit a4bea5c479d84d5fb10c6d78abce504253fe8e1d
Author:     Kirk McKusick <mckusick@FreeBSD.org>
AuthorDate: 2023-05-29 21:58:20 +0000
Commit:     Kirk McKusick <mckusick@FreeBSD.org>
CommitDate: 2023-06-07 22:56:12 +0000

    Fix a bug in fsck_ffs(8) triggered by corrupted filesystems.

    Reported-by:  Robert Morris
    PR:           271414
    Sponsored-by: The FreeBSD Foundation

    (cherry picked from commit 6a71277c3037df2c3a70464c2e2bf20dec2c128a)

 sbin/fsck_ffs/suj.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

Comment 4 Kirk McKusick freebsd_committer

2023-06-08 17:21:32 UTC

MFC'ed to 13.