From nobody Mon Feb 13 23:25:19 2023 X-Original-To: freebsd-arm@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PG0nH4LPSz3r6s2 for ; Mon, 13 Feb 2023 23:25:23 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gold.funkthat.com [IPv6:2001:470:800b::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PG0nG54Lzz3Q9C; Mon, 13 Feb 2023 23:25:22 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 2001:470:800b::2) smtp.mailfrom=jmg@gold.funkthat.com; dmarc=none Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 31DNPJ0d065424 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 13 Feb 2023 15:25:20 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 31DNPJn8065423; Mon, 13 Feb 2023 15:25:19 -0800 (PST) (envelope-from jmg) Date: Mon, 13 Feb 2023 15:25:19 -0800 From: John-Mark Gurney To: Mark Millard Cc: bob prohaska , "mckusick@freebsd.org" , freebsd-arm@freebsd.org Subject: Re: fsck segfaults on rpi3 running 13-stable (and on 14-CURRENT analyzing the same file system that resulted from the 13-STABLE crash) Message-ID: <20230213232519.GD95670@funkthat.com> Mail-Followup-To: Mark Millard , bob prohaska , "mckusick@freebsd.org" , freebsd-arm@freebsd.org References: <20230211224057.GA17805@www.zefox.net> <9DC74DD9-9AA1-4822-B425-217AAC7DB3F5@yahoo.com> <20230212043524.GA19401@www.zefox.net> <984314A1-FF42-4F92-A212-6BC0D85CB630@yahoo.com> <20230212165333.GB19401@www.zefox.net> <20230212191308.GA21535@www.zefox.net> <20230212195324.GB21535@www.zefox.net> <03840D0B-13D4-4F22-BDAF-2887A4D78BED@yahoo.com> List-Id: Porting FreeBSD to ARM processors List-Archive: https://lists.freebsd.org/archives/freebsd-arm List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arm@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <03840D0B-13D4-4F22-BDAF-2887A4D78BED@yahoo.com> X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Mon, 13 Feb 2023 15:25:20 -0800 (PST) X-Spamd-Result: default: False [-1.80 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; AUTH_NA(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; MIME_GOOD(-0.10)[text/plain]; R_SPF_NA(0.00)[no SPF record]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; MLMMJ_DEST(0.00)[freebsd-arm@freebsd.org]; FREEMAIL_TO(0.00)[yahoo.com]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[jmg]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; RCVD_TLS_LAST(0.00)[]; TO_DN_SOME(0.00)[]; DMARC_NA(0.00)[funkthat.com]; MID_RHS_MATCH_FROM(0.00)[] X-Rspamd-Queue-Id: 4PG0nG54Lzz3Q9C X-Spamd-Bar: - X-ThisMailContainsUnwantedMimeParts: N Mark Millard wrote this message on Sun, Feb 12, 2023 at 13:25 -0800: > [With a backtrace for the fsck_ffs SIGSEGV crash and some > listing of code involved, I'm now including mckusick@FreeBSD.org > in the To: . Kirk M. likely would like you to preserve the > problematical UFS file system that produces the fsck_ffs > crashes, at least for now. For Kirk M.: The below is from/for > the fsck_ffs attempted from 14-CURRENT.] > > On Feb 12, 2023, at 11:53, bob prohaska wrote: > > > On Sun, Feb 12, 2023 at 11:31:59AM -0800, Mark Millard wrote: > >> > >> I'll note that another option is to run fsck_ffs from > >> lldb in the first place. > > > > That seems more productive, yielding: [...] > So the code around /usr/main-src/sbin/fsck_ffs/inode.c:1314 looks > like: (leading white space might not be preserved) > > void > prtinode(struct inode *ip) > { > char *p; > union dinode *dp; > struct passwd *pw; > time_t t; > dp = ip->i_dp; > printf(" I=%lu ", (u_long)ip->i_number); > if (ip->i_number < UFS_ROOTINO || ip->i_number > maxino) > return; > printf(" OWNER="); > if ((pw = getpwuid((int)DIP(dp, di_uid))) != NULL) > printf("%s ", pw->pw_name); > else > printf("%u ", (unsigned)DIP(dp, di_uid)); > printf("MODE=%o\n", DIP(dp, di_mode)); > if (preen) > printf("%s: ", cdevname); > printf("SIZE=%ju ", (uintmax_t)DIP(dp, di_size)); > t = DIP(dp, di_mtime); > p = ctime(&t); > printf("MTIME=%12.12s %4.4s ", &p[4], &p[20]); > } [...] > So far, I've not identified how the NULL pointer showed up > that ended up being dereferenced. It does not look likely > that I will identify such. Ok, decided to run AFL on fsck, and this one was the first crash it discovered. The problem is that ctime can return NULL, and the return value isn't checked, because it then immediately does &p[4] which results is printf and friends being passed 0x4. Simple test program that demonstrates this problem: #include #include int main() { const char *p; time_t t; t = -5098919203113507862; p = ctime(&t); printf("MTIME=%12.12s %4.4s ", &p[4], &p[20]); return 0; } I'm not sure what the correct fix is for when times are wildly out of valid range. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."