Bug 257491 - fsck_msdosfs can crash if input is bad
Summary: fsck_msdosfs can crash if input is bad
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 13.0-RELEASE
Hardware: amd64 Any
: --- Affects Only Me
Assignee: Xin LI
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-29 18:15 UTC by Robert Morris
Modified: 2022-09-06 19:53 UTC (History)
4 users (show)

See Also:


Attachments
A FAT12 file system image that crashes fsck_msdosfs (200.00 KB, application/octet-stream)
2021-07-29 18:15 UTC, Robert Morris
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2021-07-29 18:15:36 UTC
Created attachment 226783 [details]
A FAT12 file system image that crashes fsck_msdosfs

I've attached a FAT12 image, fat.dat, that crashes fsck_msdosfs:

% fsck_msdosfs /tmp/fat.dat
** /tmp/fat.dat
** Phase 1 - Read FAT and checking connectivity
Bus error
% uname -a
FreeBSD xxx 13.0-RELEASE-p3 FreeBSD 13.0-RELEASE-p3 #0: Tue Jun 29 19:46:20 UTC 2021     root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64

The problem seems to be that fat.dat has a FATsecs and bpbBytesPerSec
that multiply to more than the size of fat.dat; fsck_msdosfs calls mmap()
with that huge offset; mmap() returns a pointer (not MAP_FAILED);
fsck_msdosfs uses that pointer, but there's nothing there but a bus error.