[Bug 271351] fsck_ffs can crash if fs_size < fs_ncg*fs_fpg

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 271351] fsck_ffs can crash if fs_size < fs_ncg*fs_fpg"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 10 May 2023 15:02:25 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271351

            Bug ID: 271351
           Summary: fsck_ffs can crash if fs_size < fs_ncg*fs_fpg
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 242107
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=242107&action=edit
broken image that causes fsck_ffs to crash due to fs_size < fs_ncg*fs_fpg

These two checks in ffs_subr.c's validate_sblock():

                FCHK(fs->fs_size, <=, ((int64_t)fs->fs_ncg - 1) * fs->fs_fpg,
                    %jd);

and 

        FCHK(fs->fs_size, <=, ((int64_t)fs->fs_ncg - 1) * fs->fs_fpg, %jd);

allow fs_size to be smaller than fs_ncg*fs_fpg. For example, if fs_ncg
is 1, then the test only requires fs_size to be > 0.

validate_sblock() checks fs_csaddr against fs_ncg*fs_fpg, and thus
fs_csaddr can point beyond fs_size.

As a result, a too-large value of fs_csaddr can cause this code in
fsck_ffs's pass1() to write beyond the end of blockmap, whose size is
determined by fs_size:

        i = sblock.fs_csaddr;
        cgd = i + howmany(sblock.fs_cssize, sblock.fs_fsize);
        for (; i < cgd; i++)
                setbmap(i);

I've attached a file system image that causes fsck_ffs -y to either
dump core or fail valgrind.

-- 
You are receiving this mail because:
You are the assignee for the bug.