bin/111191: dump(8) stack corruption

Thomas Quinot thomas at cuivre.fr.eu.org
Tue Apr 3 15:50:04 UTC 2007 

>Number:         111191
>Category:       bin
>Synopsis:       dump(8) stack corruption
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 03 15:50:03 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Thomas Quinot
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
>Environment:
System: FreeBSD melamine.cuivre.fr.eu.org 6.2-STABLE FreeBSD 6.2-STABLE #0: Sun Mar 18 12:49:35 CET 2007 thomas at melamine.cuivre.fr.eu.org:/space/build/obj/space/build/src/RELENG_6/sys/SMP i386


	
>Description:
	Under some circumstances, the bread function in dump(8) can corrupt
	the dump process's stack, possibly resulting in an infinite loop.

	Specifically, if bread is called to read a chunk of data entirely
	contained within a block (i.e. base > 0 and resid > 0 and
	base + size < secsize), then xfer is miscomputed as
	secsize - base, and more data is written to the buffer than it can hold.

>How-To-Repeat:
	Probably depends on specific filesystem structure, I encountered
	this situation on an UFS1 FS with the following properties:

magic   11954 (UFS1)    time    Tue Apr  3 17:38:58 2007
id      [ 3d628b58 6f35d1ae ]
ncg     456     size    22447680        blocks  22402990
bsize   16384   shift   14      mask    0xffffc000
fsize   16384   shift   14      mask    0xffffc000
frag    1       shift   0       fsbtodb 5
minfree 8%      optim   time    symlinklen 60
maxbpg  4096    maxcontig 7     contigsumsize 7
nbfree  4609027 ndir    238205  nifree  2822093 nffree  0
cpg     385     bpg     49280   fpg     49280   ipg     12288
nindir  4096    inopb   128     nspf    32      maxfilesize     1126174852055039sbsize  8192    cgsize  16384   cgoffset 128    cgmask  0xffffffff
csaddr  99      cssize  16384
rotdelay 0ms    rps     60      trackskew 0     interleave 1
nsect   4096    npsect  4096    spc     4096
sblkno  1       cblkno  2       iblkno  3       dblkno  99
cgrotor 381     fmod    0       ronly   0       clean   0
avgfpdir 64     avgfilesize 16384
flags   soft-updates
fsmnt   /raid
volname         swuid   0

>Fix:

Index: traverse.c
===================================================================
RCS file: /space/mirror/ncvs/src/sbin/dump/traverse.c,v
retrieving revision 1.36.2.1
diff -u -r1.36.2.1 traverse.c
--- traverse.c	2 May 2006 19:08:36 -0000	1.36.2.1
+++ traverse.c	3 Apr 2007 15:31:33 -0000
@@ -777,7 +777,7 @@
 			cnt = cread(diskfd, tmpbuf, secsize, offset - base);
 			if (cnt != secsize)
 				goto bad;
-			xfer = secsize - base;
+			xfer = MIN(secsize - base, size);
 			offset += xfer;
 			bytes -= xfer;
 			resid = bytes % secsize;
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list