https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258960
Bug ID: 258960
Summary: mounting a corrupt FAT32 disk can consume all memory
Product: Base System
Version: 13.0-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: b...@freebsd.org
Reporter: r...@lcs.mit.edu
Attachment #228476 text/plain
mime type:
Created attachment 228476
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=228476&action=edit
Program to generate a FAT32 image that causes mount_msdosfs to allocate huge
amounts of memory.
I've attached a program that generates a FAT32 disk image that, when
mounted, causes the kernel's msdosfs_mount() to try to allocate 1000
GB of memory. On my machine this ends up killing every process due to
lack of swap. I don't think the mount process itself can be killed, so
it's a fairly fatal condition. The cause is some parameters in the
FAT32 image that have outrageous values, for example the "total
logical sectors" at BPB offset 0x020 is 120 million, much larger than
the actual disk image. msdosfs_mount() allocates an amount of memory
derived from pmp->maxcluster, which is the product of some of these
huge values:
pmp->pm_inusemap = malloc(howmany(pmp->pm_maxcluster + 1, N_INUSEBITS)
* sizeof(*pmp->pm_inusemap),
M_MSDOSFSFAT, M_WAITOK);
Here's how to produce and mount an image that causes this problem,
using the attached fat323.c program:
% cc fat323.c
% ./a.out
% sudo mdconfig -f fat323.img
% sudo mount_msdosfs /dev/md0 /mnt
My machine runs FreeBSD xxx 13.0-RELEASE-p4 FreeBSD 13.0-RELEASE-p4 #0: Tue Aug
24 07:33:27 UTC 2021
r...@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC
amd64
--
You are receiving this mail because:
You are the assignee for the bug.
