The branch main has been updated by mckusick:
URL:
https://cgit.FreeBSD.org/src/commit/?id=b3fe5d932264445cbf9a1c4eab01afb6179b499b
commit b3fe5d932264445cbf9a1c4eab01afb6179b499b
Author: Kirk McKusick <mckus...@freebsd.org>
AuthorDate: 2023-05-09 20:08:10 +0000
Commit: Kirk McKusick <mckus...@freebsd.org>
CommitDate: 2023-05-09 20:08:10 +0000
Fix off-by-one error in fsck_ffs(8) chkrange() block-number check.
On an amd64-CURRENT machine with an i-node that refers to a block
number that is one too large will cause a core dump, due to writing
beyond the end of blockmap[] and corrupting the next heap block,
which happens to contain a struct inoinfo in inphash[]. Note that
valgrind catches the blockmap[] access.
Reported by: Robert Morris
PR: 271289
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
---
sbin/fsck_ffs/inode.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sbin/fsck_ffs/inode.c b/sbin/fsck_ffs/inode.c
index 04891447254e..00a60157138c 100644
--- a/sbin/fsck_ffs/inode.c
+++ b/sbin/fsck_ffs/inode.c
@@ -381,8 +381,8 @@ chkrange(ufs2_daddr_t blk, int cnt)
{
int c;
- if (cnt <= 0 || blk <= 0 || blk > maxfsblock ||
- cnt - 1 > maxfsblock - blk) {
+ if (cnt <= 0 || blk <= 0 || blk >= maxfsblock ||
+ cnt > maxfsblock - blk) {
if (debug)
printf("out of range: blk %ld, offset %i, size %d\n",
(long)blk, (int)fragnum(&sblock, blk), cnt);
