Bug 271378 - negative jt_size in ffs truncate journal record causes fsck to crash
Summary: negative jt_size in ffs truncate journal record causes fsck to crash
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-fs (Nobody)
URL:
Keywords: crash
Depends on:
Blocks:
 
Reported: 2023-05-12 10:44 UTC by Robert Morris
Modified: 2023-06-08 17:20 UTC (History)
3 users (show)

See Also:

Attachments
gzipped ffs image with bad journal record that causes fsck to crash in ino_trunc (17.61 KB, application/x-gzip)
2023-05-12 10:44 UTC, Robert Morris 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2023-05-12 10:44:32 UTC 
Created attachment 242130 [details]
gzipped ffs image with bad journal record that causes fsck to crash in ino_trunc

If a truncate journal record has a negative size, suj.c's ino_trunc()
will index di_db[] with a negative index here:

        lastlbn = lblkno(fs, blkroundup(fs, size));
        for (i = lastlbn; i < UFS_NDADDR; i++) {
                if ((bn = DIP(dp, di_db[i])) == 0)

I've attached a gzipped file system image; here's the backtrace
from fsck_ffs -y fsck22a.img:

Program received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
0x000000000022aaca in ino_trunc (ino=3, size=-4420917493761) at suj.c:1329
1329                    if ((bn = DIP(dp, di_db[i])) == 0)
(gdb) where
#0  0x000000000022aaca in ino_trunc (ino=3, size=-4420917493761) at suj.c:1329
#1  0x00000000002270f7 in cg_trunc (sc=0x800a8a8c0) at suj.c:1574
#2  0x0000000000226dc5 in cg_apply (apply=0x227090 <cg_trunc>) at suj.c:1638
#3  0x0000000000225562 in suj_check (filesys=0x7fffffffed74 "junk")
    at suj.c:2460
#4  0x00000000002195c6 in checkfilesys (filesys=0x7fffffffed74 "junk")
    at main.c:356
#5  0x0000000000218f72 in main (argc=1, argv=0x7fffffffea20) at main.c:210
Comment 1 commit-hook freebsd_committer freebsd_triage 2023-05-28 00:13:49 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=101a9ac07128a17d8797cc3e93978d2cfa457e99

commit 101a9ac07128a17d8797cc3e93978d2cfa457e99
Author:     Kirk McKusick <mckusick@FreeBSD.org>
AuthorDate: 2023-05-28 00:09:02 +0000
Commit:     Kirk McKusick <mckusick@FreeBSD.org>
CommitDate: 2023-05-28 00:12:30 +0000

    Fix a bug in fsck_ffs(8) triggered by corrupted filesystems.

    Check for valid file size before processing journal entries for it.
    Done by extracting the file size check from pass1.c into chkfilesize()
    then using it in the journal code in suj.c

    Reported-by:  Robert Morris
    PR:           271378
    MFC-after:    1 week
    Sponsored-by: The FreeBSD Foundation

 sbin/fsck_ffs/fsck.h   |  1 +
 sbin/fsck_ffs/fsutil.c | 25 +++++++++++++++++++++++++
 sbin/fsck_ffs/pass1.c  | 12 +-----------
 sbin/fsck_ffs/suj.c    |  3 +++
 4 files changed, 30 insertions(+), 11 deletions(-)
Comment 2 Kirk McKusick freebsd_committer freebsd_triage 2023-05-28 00:18:05 UTC 
Fix checked in. Will close when MFC'ed to 13.
Comment 3 commit-hook freebsd_committer freebsd_triage 2023-06-07 23:16:14 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=3035f98d56eb72240c6260d667427ab4ade08b45

commit 3035f98d56eb72240c6260d667427ab4ade08b45
Author:     Kirk McKusick <mckusick@FreeBSD.org>
AuthorDate: 2023-05-28 00:09:02 +0000
Commit:     Kirk McKusick <mckusick@FreeBSD.org>
CommitDate: 2023-06-07 22:46:53 +0000

    Fix a bug in fsck_ffs(8) triggered by corrupted filesystems.

    Reported-by:  Robert Morris
    PR:           271378
    Sponsored-by: The FreeBSD Foundation

    (cherry picked from commit 101a9ac07128a17d8797cc3e93978d2cfa457e99)

 sbin/fsck_ffs/fsck.h   |  1 +
 sbin/fsck_ffs/fsutil.c | 25 +++++++++++++++++++++++++
 sbin/fsck_ffs/pass1.c  | 12 +-----------
 sbin/fsck_ffs/suj.c    |  3 +++
 4 files changed, 30 insertions(+), 11 deletions(-)
Comment 4 Kirk McKusick freebsd_committer freebsd_triage 2023-06-08 17:20:36 UTC 
MFC'ed to 13.