From nobody Sun May 28 00:12:48 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QTJyS5VfRz4X27w; Sun, 28 May 2023 00:12:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QTJyS4Zr5z46mZ; Sun, 28 May 2023 00:12:48 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1685232768; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zNtmvfm+vTXI2nft3TM4xbU42VQ9JtMJLPkCaZutgFQ=; b=fwy1U/6qyRzDreHhaKtYdNK23cIDd3mnnaz9+qS7dKs2aps+Xkix5on/tqUcYEmbV80QQb yqg6es3/yfuINsV7q+U5/78pbrIawUOoZ7oUUkyDxdqs6aMSMDFK1F8FMTGQPhUDltGUn9 dgAEdznGEpzPpdQ1qWl33qAV1nfHIU6of0vGaiqEC7NWDEd5dJZBI1taps94t2DIHTg43X d9oghAqceqz1Bx5IQ1xr9TURPA4iBbUVZX3Hh9qM6YlWaBakpNo/pA8wwXDYlP9A5dqr4T BbqudgL3NkgHCrAq3Qd59VOOCBXMrXkT6H2kgQXY3xxAQejb+Q1zew/A3Jtxfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1685232768; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zNtmvfm+vTXI2nft3TM4xbU42VQ9JtMJLPkCaZutgFQ=; b=ri38ATSkqGeXhmyHvOTOmPD/d+UswMDzIHjKN1q5REhXlon7yEQQlRElW7WR8ur8aL3sdT zmtEIwSpWE1n7DLhpX4Lvh2vH01iHRLXg1nW/3T3MZTRGpL26/ECIM+jCLPf6UIVnEKDfX rzUMG1weY7lT91Kuoh/mYWckTTyFRhxr0fwjQjaVyhLU0ygyx72iA/ORIHeFnzmzVJ6pR1 rzO/p+7/WcK4g9BbnZa6tj4CZQp6ZRg9u0xHcSPBrzXbIfndjbcPhT5LtnkdUBe4Dc/ksP W0W44kIe1Q3fWoYmoHLptDOjgBKplSCXreiUhlaQCodKLmP/FZvBySC3pfJIDQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1685232768; a=rsa-sha256; cv=none; b=Le52/IbD4frdI6w+OahqVKmJIZuO1bxYJR6+TEzTCvYyQy3MV9ZyPbmuYBI5w8d/eT+HHk KeRV36GN1TzPa4ndud1x3HzsfcxWqVeFMphnvthwA0D0fZxOCzGxCTNaunKztPI/6/NKLF QU4VzXxykWD/xxMfBmPFCfBZotYPGuooQAKlYiMGUIZr9fWpp24Gv/MGmRcE7rFOgcFgoT /gmpO+gLyuZeslL+LTV5UZcSnvyzxtxtvEygViIQEjJMZ54HH1SnkbY473ylgrDvMqzPMM UkwOgpZ5A7i/FHB8qQHWVxfmwwUkhehjhgqzUICKBzFkU2mMkRL5J2yBJDcUrg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QTJyS3hKVz18NT; Sun, 28 May 2023 00:12:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 34S0CmtR099862; Sun, 28 May 2023 00:12:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 34S0Cmeo099861; Sun, 28 May 2023 00:12:48 GMT (envelope-from git) Date: Sun, 28 May 2023 00:12:48 GMT Message-Id: <202305280012.34S0Cmeo099861@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kirk McKusick Subject: git: 101a9ac07128 - main - Fix a bug in fsck_ffs(8) triggered by corrupted filesystems. List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mckusick X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 101a9ac07128a17d8797cc3e93978d2cfa457e99 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by mckusick: URL: https://cgit.FreeBSD.org/src/commit/?id=101a9ac07128a17d8797cc3e93978d2cfa457e99 commit 101a9ac07128a17d8797cc3e93978d2cfa457e99 Author: Kirk McKusick AuthorDate: 2023-05-28 00:09:02 +0000 Commit: Kirk McKusick CommitDate: 2023-05-28 00:12:30 +0000 Fix a bug in fsck_ffs(8) triggered by corrupted filesystems. Check for valid file size before processing journal entries for it. Done by extracting the file size check from pass1.c into chkfilesize() then using it in the journal code in suj.c Reported-by: Robert Morris PR: 271378 MFC-after: 1 week Sponsored-by: The FreeBSD Foundation --- sbin/fsck_ffs/fsck.h | 1 + sbin/fsck_ffs/fsutil.c | 25 +++++++++++++++++++++++++ sbin/fsck_ffs/pass1.c | 12 +----------- sbin/fsck_ffs/suj.c | 3 +++ 4 files changed, 30 insertions(+), 11 deletions(-) diff --git a/sbin/fsck_ffs/fsck.h b/sbin/fsck_ffs/fsck.h index ad82c5f80da1..3b80169c1e3c 100644 --- a/sbin/fsck_ffs/fsck.h +++ b/sbin/fsck_ffs/fsck.h @@ -470,6 +470,7 @@ void check_blkcnt(struct inode *ip); int check_cgmagic(int cg, struct bufarea *cgbp); void rebuild_cg(int cg, struct bufarea *cgbp); void check_dirdepth(struct inoinfo *inp); +int chkfilesize(mode_t mode, u_int64_t filesize); int chkrange(ufs2_daddr_t blk, int cnt); void ckfini(int markclean); int ckinode(union dinode *dp, struct inodesc *); diff --git a/sbin/fsck_ffs/fsutil.c b/sbin/fsck_ffs/fsutil.c index 7602203e6e90..5edc258d54bf 100644 --- a/sbin/fsck_ffs/fsutil.c +++ b/sbin/fsck_ffs/fsutil.c @@ -1207,6 +1207,31 @@ std_checkblkavail(ufs2_daddr_t blkno, long frags) return (0); } +/* + * Check whether a file size is within the limits for the filesystem. + * Return 1 when valid and 0 when too big. + * + * This should match the file size limit in ffs_mountfs(). + */ +int +chkfilesize(mode_t mode, u_int64_t filesize) +{ + u_int64_t kernmaxfilesize; + + if (sblock.fs_magic == FS_UFS1_MAGIC) + kernmaxfilesize = (off_t)0x40000000 * sblock.fs_bsize - 1; + else + kernmaxfilesize = sblock.fs_maxfilesize; + if (filesize > kernmaxfilesize || + filesize > sblock.fs_maxfilesize || + (mode == IFDIR && filesize > MAXDIRSIZE)) { + if (debug) + printf("bad file size %ju:", (uintmax_t)filesize); + return (0); + } + return (1); +} + /* * Slow down IO so as to leave some disk bandwidth for other processes */ diff --git a/sbin/fsck_ffs/pass1.c b/sbin/fsck_ffs/pass1.c index 863bf34ff0fc..d328234220ad 100644 --- a/sbin/fsck_ffs/pass1.c +++ b/sbin/fsck_ffs/pass1.c @@ -256,7 +256,6 @@ checkinode(ino_t inumber, struct inodesc *idesc, int rebuiltcg) { struct inode ip; union dinode *dp; - off_t kernmaxfilesize; ufs2_daddr_t ndb; mode_t mode; intmax_t size, fixsize; @@ -293,16 +292,7 @@ checkinode(ino_t inumber, struct inodesc *idesc, int rebuiltcg) return (1); } lastino = inumber; - /* This should match the file size limit in ffs_mountfs(). */ - if (sblock.fs_magic == FS_UFS1_MAGIC) - kernmaxfilesize = (off_t)0x40000000 * sblock.fs_bsize - 1; - else - kernmaxfilesize = sblock.fs_maxfilesize; - if (DIP(dp, di_size) > kernmaxfilesize || - DIP(dp, di_size) > sblock.fs_maxfilesize || - (mode == IFDIR && DIP(dp, di_size) > MAXDIRSIZE)) { - if (debug) - printf("bad size %ju:", (uintmax_t)DIP(dp, di_size)); + if (chkfilesize(mode, DIP(dp, di_size)) == 0) { pfatal("BAD FILE SIZE"); goto unknown; } diff --git a/sbin/fsck_ffs/suj.c b/sbin/fsck_ffs/suj.c index 8fed3d7723d6..d51e0ff4d83b 100644 --- a/sbin/fsck_ffs/suj.c +++ b/sbin/fsck_ffs/suj.c @@ -1965,6 +1965,9 @@ ino_build_trunc(struct jtrncrec *rec) printf("ino_build_trunc: op %d ino %ju, size %jd\n", rec->jt_op, (uintmax_t)rec->jt_ino, (uintmax_t)rec->jt_size); + if (chkfilesize(IFREG, rec->jt_size) == 0) + err_suj("ino_build: truncation size too large %ju\n", + (intmax_t)rec->jt_size); sino = ino_lookup(rec->jt_ino, 1); if (rec->jt_op == JOP_SYNC) { sino->si_trunc = NULL;