When fsck_ffs is checking a file system, one of the passes is to check the cylinder groups and see if the various bitmaps are correct. For example, on line 325 of pass5.c it looks at cg_inosused(cg). cg has been read from the disk, and cg_inosused is a pointer to cg->cg_iusedoff bytes past cg. (Defined in <ufs/ffs/fs.h>.) Presumably the inosused bitmap is supposed to be in the same block as the cg structure. However, if the cylinder group header is corrupt, cg->cg_iusedoff could be anything and thus cg_inosused(cg) will be a bogus pointer, and fsck_ffs will crash. Possibly there is no reasonable way for fsck_ffs to handle such corruption, but it still shouldn't segfault IMHO. Other uses of the cg_* macros are also suspect, and there may be other errors of the same sort throughout fsck. dumpfs has similar bugs. Fix: Check cg->iusedoff for sanity before trying to use it. For instance, make sure it points within the block that's been read from the disk. How-To-Repeat: I have a filesystem image which crashes fsck_ffs because of this bug. However, the image is 1G and may contain some sensitive data (it's a corrupt /var) so I would rather not make it available. I can try to explain the problem further if necessary.
Responsible Changed From-To: freebsd-bugs->freebsd-fs Over to maintainer(s).
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped