Summary: | off-by-one error in fsck_ffs chkrange() block-number check | ||||||
---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | Robert Morris <rtm> | ||||
Component: | bin | Assignee: | freebsd-fs (Nobody) <fs> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Some People | CC: | emaste, imp, lwhsu, mckusick | ||||
Priority: | --- | ||||||
Version: | CURRENT | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b3fe5d932264445cbf9a1c4eab01afb6179b499b commit b3fe5d932264445cbf9a1c4eab01afb6179b499b Author: Kirk McKusick <mckusick@FreeBSD.org> AuthorDate: 2023-05-09 20:08:10 +0000 Commit: Kirk McKusick <mckusick@FreeBSD.org> CommitDate: 2023-05-09 20:08:10 +0000 Fix off-by-one error in fsck_ffs(8) chkrange() block-number check. On an amd64-CURRENT machine with an i-node that refers to a block number that is one too large will cause a core dump, due to writing beyond the end of blockmap[] and corrupting the next heap block, which happens to contain a struct inoinfo in inphash[]. Note that valgrind catches the blockmap[] access. Reported by: Robert Morris PR: 271289 MFC after: 1 week Sponsored by: The FreeBSD Foundation sbin/fsck_ffs/inode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Suggested change made. Will close after MFC to 13. A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=8e0b31c791cf1da6d9fda3da9999e66a5e162230 commit 8e0b31c791cf1da6d9fda3da9999e66a5e162230 Author: Kirk McKusick <mckusick@FreeBSD.org> AuthorDate: 2023-05-09 20:08:10 +0000 Commit: Kirk McKusick <mckusick@FreeBSD.org> CommitDate: 2023-05-19 23:02:21 +0000 Fix off-by-one error in fsck_ffs(8) chkrange() block-number check. PR: 271289 (cherry picked from commit b3fe5d932264445cbf9a1c4eab01afb6179b499b) sbin/fsck_ffs/inode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) MFC'ed to 13. |
Created attachment 242024 [details] broken ffs image that causes off-by-one block-number check error in fsck In this code in src/sbin/fsck_ffs/inode.c, I think the "blk > maxfsblock" should be >=. The cnt - 1 ... check also looks off by one. int chkrange(ufs2_daddr_t blk, int cnt) { int c; if (cnt <= 0 || blk <= 0 || blk > maxfsblock || cnt - 1 > maxfsblock - blk) { if (debug) printf("out of range: blk %ld, offset %i, size %d\n", (long)blk, (int)fragnum(&sblock, blk), cnt); return (1); } I've attached a broken file-system image with an i-node that refers to a block number that's one too large (64): % cp fsck4b.img junk % fsck_ffs -y junk On my CURRENT amd64 machine this yields a core dump, due to writing beyond the end of blockmap[] and corrupting the next heap block, which happens to contain a struct inoinfo in inphash[]. valgrind catches the blockmap[] access.