https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271289
Bug ID: 271289
Summary: off-by-one error in fsck_ffs chkrange() block-number
check
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: b...@freebsd.org
Reporter: r...@lcs.mit.edu
Created attachment 242024
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=242024&action=edit
broken ffs image that causes off-by-one block-number check error in fsck
In this code in src/sbin/fsck_ffs/inode.c, I think the "blk >
maxfsblock" should be >=. The cnt - 1 ... check also looks off by one.
int
chkrange(ufs2_daddr_t blk, int cnt)
{
int c;
if (cnt <= 0 || blk <= 0 || blk > maxfsblock ||
cnt - 1 > maxfsblock - blk) {
if (debug)
printf("out of range: blk %ld, offset %i, size %d\n",
(long)blk, (int)fragnum(&sblock, blk), cnt);
return (1);
}
I've attached a broken file-system image with an i-node that refers to
a block number that's one too large (64):
% cp fsck4b.img junk
% fsck_ffs -y junk
On my CURRENT amd64 machine this yields a core dump, due to writing
beyond the end of blockmap[] and corrupting the next heap block, which
happens to contain a struct inoinfo in inphash[]. valgrind catches
the blockmap[] access.
--
You are receiving this mail because:
You are the assignee for the bug.
