bin/111191: dump(8) stack corruption
Thomas Quinot
thomas at cuivre.fr.eu.org
Tue Apr 3 15:50:04 UTC 2007
>Number: 111191
>Category: bin
>Synopsis: dump(8) stack corruption
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Apr 03 15:50:03 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Thomas Quinot
>Release: FreeBSD 6.2-STABLE i386
>Organization:
>Environment:
System: FreeBSD melamine.cuivre.fr.eu.org 6.2-STABLE FreeBSD 6.2-STABLE #0: Sun Mar 18 12:49:35 CET 2007 thomas at melamine.cuivre.fr.eu.org:/space/build/obj/space/build/src/RELENG_6/sys/SMP i386
>Description:
Under some circumstances, the bread function in dump(8) can corrupt
the dump process's stack, possibly resulting in an infinite loop.
Specifically, if bread is called to read a chunk of data entirely
contained within a block (i.e. base > 0 and resid > 0 and
base + size < secsize), then xfer is miscomputed as
secsize - base, and more data is written to the buffer than it can hold.
>How-To-Repeat:
Probably depends on specific filesystem structure, I encountered
this situation on an UFS1 FS with the following properties:
magic 11954 (UFS1) time Tue Apr 3 17:38:58 2007
id [ 3d628b58 6f35d1ae ]
ncg 456 size 22447680 blocks 22402990
bsize 16384 shift 14 mask 0xffffc000
fsize 16384 shift 14 mask 0xffffc000
frag 1 shift 0 fsbtodb 5
minfree 8% optim time symlinklen 60
maxbpg 4096 maxcontig 7 contigsumsize 7
nbfree 4609027 ndir 238205 nifree 2822093 nffree 0
cpg 385 bpg 49280 fpg 49280 ipg 12288
nindir 4096 inopb 128 nspf 32 maxfilesize 1126174852055039sbsize 8192 cgsize 16384 cgoffset 128 cgmask 0xffffffff
csaddr 99 cssize 16384
rotdelay 0ms rps 60 trackskew 0 interleave 1
nsect 4096 npsect 4096 spc 4096
sblkno 1 cblkno 2 iblkno 3 dblkno 99
cgrotor 381 fmod 0 ronly 0 clean 0
avgfpdir 64 avgfilesize 16384
flags soft-updates
fsmnt /raid
volname swuid 0
>Fix:
Index: traverse.c
===================================================================
RCS file: /space/mirror/ncvs/src/sbin/dump/traverse.c,v
retrieving revision 1.36.2.1
diff -u -r1.36.2.1 traverse.c
--- traverse.c 2 May 2006 19:08:36 -0000 1.36.2.1
+++ traverse.c 3 Apr 2007 15:31:33 -0000
@@ -777,7 +777,7 @@
cnt = cread(diskfd, tmpbuf, secsize, offset - base);
if (cnt != secsize)
goto bad;
- xfer = secsize - base;
+ xfer = MIN(secsize - base, size);
offset += xfer;
bytes -= xfer;
resid = bytes % secsize;
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list