[Bug 263971] ffs: malicious superblock can cause buffer overflow during tasting: panic: vm_fault_lookup: fault on nofault entry, addr: 0xffffffc07cb67000

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 16 May 2022 21:34:06 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263971

--- Comment #3 from Robert Morris <rtm@lcs.mit.edu> ---
(In reply to Kirk McKusick from comment #1)
Even with validate_sblock(), the int32 size in ffs_sbget() can
be made to wrap around. I've attached a disk image taste9f.img with

  fs_cssize 2021359616
  fs_contigsumsize -1
  ncg 126334728

so that this in ffs_sbget()

        size = fs->fs_cssize;
        size += fs->fs_ncg * sizeof(u_int8_t);

yields size = -2147272952 when I run mdconfig -f taste9f.img
Then the process hangs in UFS_MALLOC(size).

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.