Created attachment 242130 [details] gzipped ffs image with bad journal record that causes fsck to crash in ino_trunc If a truncate journal record has a negative size, suj.c's ino_trunc() will index di_db[] with a negative index here: lastlbn = lblkno(fs, blkroundup(fs, size)); for (i = lastlbn; i < UFS_NDADDR; i++) { if ((bn = DIP(dp, di_db[i])) == 0) I've attached a gzipped file system image; here's the backtrace from fsck_ffs -y fsck22a.img: Program received signal SIGSEGV, Segmentation fault. Address not mapped to object. 0x000000000022aaca in ino_trunc (ino=3, size=-4420917493761) at suj.c:1329 1329 if ((bn = DIP(dp, di_db[i])) == 0) (gdb) where #0 0x000000000022aaca in ino_trunc (ino=3, size=-4420917493761) at suj.c:1329 #1 0x00000000002270f7 in cg_trunc (sc=0x800a8a8c0) at suj.c:1574 #2 0x0000000000226dc5 in cg_apply (apply=0x227090 <cg_trunc>) at suj.c:1638 #3 0x0000000000225562 in suj_check (filesys=0x7fffffffed74 "junk") at suj.c:2460 #4 0x00000000002195c6 in checkfilesys (filesys=0x7fffffffed74 "junk") at main.c:356 #5 0x0000000000218f72 in main (argc=1, argv=0x7fffffffea20) at main.c:210
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=101a9ac07128a17d8797cc3e93978d2cfa457e99 commit 101a9ac07128a17d8797cc3e93978d2cfa457e99 Author: Kirk McKusick <mckusick@FreeBSD.org> AuthorDate: 2023-05-28 00:09:02 +0000 Commit: Kirk McKusick <mckusick@FreeBSD.org> CommitDate: 2023-05-28 00:12:30 +0000 Fix a bug in fsck_ffs(8) triggered by corrupted filesystems. Check for valid file size before processing journal entries for it. Done by extracting the file size check from pass1.c into chkfilesize() then using it in the journal code in suj.c Reported-by: Robert Morris PR: 271378 MFC-after: 1 week Sponsored-by: The FreeBSD Foundation sbin/fsck_ffs/fsck.h | 1 + sbin/fsck_ffs/fsutil.c | 25 +++++++++++++++++++++++++ sbin/fsck_ffs/pass1.c | 12 +----------- sbin/fsck_ffs/suj.c | 3 +++ 4 files changed, 30 insertions(+), 11 deletions(-)
Fix checked in. Will close when MFC'ed to 13.
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3035f98d56eb72240c6260d667427ab4ade08b45 commit 3035f98d56eb72240c6260d667427ab4ade08b45 Author: Kirk McKusick <mckusick@FreeBSD.org> AuthorDate: 2023-05-28 00:09:02 +0000 Commit: Kirk McKusick <mckusick@FreeBSD.org> CommitDate: 2023-06-07 22:46:53 +0000 Fix a bug in fsck_ffs(8) triggered by corrupted filesystems. Reported-by: Robert Morris PR: 271378 Sponsored-by: The FreeBSD Foundation (cherry picked from commit 101a9ac07128a17d8797cc3e93978d2cfa457e99) sbin/fsck_ffs/fsck.h | 1 + sbin/fsck_ffs/fsutil.c | 25 +++++++++++++++++++++++++ sbin/fsck_ffs/pass1.c | 12 +----------- sbin/fsck_ffs/suj.c | 3 +++ 4 files changed, 30 insertions(+), 11 deletions(-)
MFC'ed to 13.