[Bug 214423] dosfs support in libstand is broken since r298230

Fri Nov 11 15:11:56 UTC 2016

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214423

            Bug ID: 214423
           Summary: dosfs support in libstand is broken since r298230
           Product: Base System
           Version: 11.0-STABLE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: Mikhail.Kupchik at gmail.com
                CC: freebsd-amd64 at FreeBSD.org
                CC: freebsd-amd64 at FreeBSD.org

Created attachment 176899
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=176899&action=edit
Patch for lib/libstand/dosfs.c

Support for dosfs filesystem in loader.efi (via libstand) works as expected in
FreeBSD 10.3, but is broken since FreeBSD 11.0.

How to reproduce this problem:
  # cd ~
  # dd if=/dev/zero of=mfsroot bs=1m count=12
  # set MDEV=`mdconfig -a -t vnode -f mfsroot`
  # newfs -O 1 /dev/$MDEV
  # mount /dev/$MDEV /mnt
  # mkdir /mnt/dev
  # mkdir /mnt/sbin
  # cp /rescue/sh /mnt/sbin/init
  # umount /mnt
  # mdconfig -d -u $MDEV
  # dd if=/dev/zero of=testbootfs bs=1m count=128
  # set MDEV=`mdconfig -a -t vnode -f testbootfs`
  # gpart create -s gpt $MDEV
  # gpart add -t efi $MDEV
  # newfs_msdos "${MDEV}p1"
  # mount -t msdosfs "/dev/${MDEV}p1" /mnt
  # mkdir /mnt/boot
  # mv mfsroot /mnt/boot/
  # cp /boot/kernel/kernel /mnt/boot/kernel
  # echo 'set vfs.root.mountfrom="ufs:/dev/md0"' > /mnt/boot/loader.rc
  # echo 'load /boot/kernel' >> /mnt/boot/loader.rc
  # echo 'load -t mfsroot /boot/mfsroot' >> /mnt/boot/loader.rc
  # echo 'boot' >> /mnt/boot/loader.rc
  # mkdir -p /mnt/efi/boot
  # cp /boot/loader.efi /mnt/efi/boot/bootx64.efi
  # umount /mnt
  # mdconfig -d -u $MDEV
then write ~/testbootfs to USB thumbdrive and attempt to boot from it in the
UEFI mode.

Expected behavior: normal boot until init.

Actual behavior: when loader is reading kernel from disk, UEFI firmware crashes
due to the heap corruption.

Problem can be reproduced under 12-CURRENT and 11.0-RELEASE-p2. Problem can't
be reproduced under 10.3-RELEASE-p11. Bisection shows that problem is related
to changes in lib/libstand/dosfs.c made in r298230.

This problem seems to be caused by long disk read (past the end of allocated
buffer) in lib/libstand/dosfs.c:ioread() or device strategy functions called in
that context.

Attached patch for lib/libstand/dosfs.c fixes this heap corruption (and also
simplifies fetching of the next cluster from FAT cache):

-- 
You are receiving this mail because:
You are on the CC list for the bug.