From nobody Wed May 10 19:09:49 2023 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QGl2j4dgDz4BJHG for ; Wed, 10 May 2023 19:09:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QGl2j20pPz3CnN for ; Wed, 10 May 2023 19:09:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1683745789; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NADkpCssW/rjer31/WNwcq98oAMPS+SCT8e3nDvIQwQ=; b=aRhTXXol/Ke7jaUMWXwFQxXXsui5jIp821B9zPP0Eo0GWs1tfLXi8tw+QLng7Y0ImW8mJA EaXnIK9UjexjbpWHaYM+v6U0YWAx0q0o1HglU/gxIIVPBQNZN9j8PBS2GDZPmtQl+tynBk ctUKNLw8EmOExUAUTwYivP0+Coh0IHIGVgkhi1NzR69RD7nj0FhFTM+PB/ACA24QU3zsh3 WIJuMfFImgpPldStmQzJ9FJ/tYt//b2SQQ3Q/DIPznBz4UV4AwAvckGZ3UZ9cHda9wIFGh Cm6r04zXlWTw1xSUImIsfG+EY0XRWNKNGne5gvJXwjkSLpfYv4F2EiYH4lq4Tw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1683745789; a=rsa-sha256; cv=none; b=UHHHX0msH+RCGANWrooNoH2F1jg17vx5+938PRZXDTVMUnEn1bOLm79gV02xq7Ou+4UkYM +4AYPcJdnGVL4hFZPCYJ+Q9+OfqYpvFG8o5/jsZgjVR9Xdr81xbQyAEFT7CoBPThIlxneE imDZnXza3VeC4V3Fl+QRTRVzWC0sO0wg/lOV2Mv6Ml60cwquPJMykd+0CO8Vhh2ovJLq8k rhB0c1MmhLUHClMaAUnLSjWUnyjC48XV0q5CSYZHWqwolcL7K2wSiMH1ngFnR7Pdatdby3 2xlMSKF9DZrSO5A9UINfJgAsGjVvY97hdKc7Ru/ojeZRttgUDjQoYTTQZ6MXbA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QGl2j0lPBzMrt for ; Wed, 10 May 2023 19:09:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 34AJ9nGX061495 for ; Wed, 10 May 2023 19:09:49 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 34AJ9nSO061494 for bugs@FreeBSD.org; Wed, 10 May 2023 19:09:49 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 271354] reachable directory with zero link count can cause fsck to deref NULL Date: Wed, 10 May 2023 19:09:49 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rtm@lcs.mit.edu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271354 Bug ID: 271354 Summary: reachable directory with zero link count can cause fsck to deref NULL Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 242111 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D242111&action= =3Dedit ffs image with reachable directory with zero link count causes fsck to deref NULL If a directory inode's link count is zero, then pass1.c's checkinode() doesn't call cacheino() to enter it into inphash[]: if (mode =3D=3D IFDIR) { if (DIP(dp, di_size) =3D=3D 0) { inoinfo(inumber)->ino_state =3D DCLEAR; } else if (DIP(dp, di_nlink) <=3D 0) { inoinfo(inumber)->ino_state =3D DZLINK; } else { inoinfo(inumber)->ino_state =3D DSTATE;=20=20 cacheino(dp, inumber); Then in pass2check(), if the directory is reachable, the fall-through path from DZLINK calls getinoinfo(), which returns NULL, causing inp->i_parent to crash: case DZLINK: if (inoinfo(idesc->id_number)->ino_state =3D=3D DFO= UND) inoinfo(dirp->d_ino)->ino_state =3D DFOUND; /* FALLTHROUGH */ case DFOUND: inp =3D getinoinfo(dirp->d_ino); if (idesc->id_entryno > 2) { if (inp->i_parent =3D=3D 0) { I've attached a file system image in which i-node 3 (/.snap) has a 0 link count, and which yields this fsck_ffs backtrace: Program received signal SIGSEGV, Segmentation fault. Address not mapped to object. 0x000000000021f412 in pass2check (idesc=3D0x7fffffffe7b8) at pass2.c:554 554 if (inp->i_parent =3D=3D 0) { (gdb) where #0 0x000000000021f412 in pass2check (idesc=3D0x7fffffffe7b8) at pass2.c:554 #1 0x00000000002093e7 in dirscan (idesc=3D0x7fffffffe7b8) at dir.c:211 #2 0x000000000021318b in ckinode (dp=3D0x7fffffffe6b8, idesc=3D0x7fffffffe= 7b8) at inode.c:126 #3 0x000000000021e130 in pass2 () at pass2.c:202 #4 0x0000000000219a7d in checkfilesys (filesys=3D0x7fffffffed71 "junk") at main.c:468 #5 0x0000000000218f42 in main (argc=3D1, argv=3D0x7fffffffea20) at main.c:= 210 --=20 You are receiving this mail because: You are the assignee for the bug.=