From nobody Mon Jan 13 19:23:31 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YX2H732Trz5kjNJ; Mon, 13 Jan 2025 19:23:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YX2H713kvz3VvN; Mon, 13 Jan 2025 19:23:31 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1736796211; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=M9KdzXJjwlf30RTT5ZAlKK+E6v0e5Xx3XmoocNeafZw=; b=oAZl02mdflbWWKnyKjzDnZEUKRD9uodxDqFSDfLvt2q7v4Tm4kHijIVa+PEv0jd4zI0t03 zjG07gbcMH3L160sBImIKWkzr4vsJtjQDi4gElnu1uveBnat1JLX4wdwJGOgr9enEwJylQ 9AlUk6cjq/yAezY8uHteSCAdFKbQml/6HdJ8S+9VQWXNE+JqYymwFoIKl44kCUYIw2zWMS WqdJgqSfIfZlU/gj9y6lV00eN3o9QM4rGnR144W7MziRdldRQbHPLOuyJu1ufAr7HS0ygA SD6Fs65Wuf6QIp2vxtKXv26zB09vETxAkDQ+HSdqEE+j8z9Rao832cIB/yTTfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1736796211; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=M9KdzXJjwlf30RTT5ZAlKK+E6v0e5Xx3XmoocNeafZw=; b=Tz5LGzK5/motLXvjVucBZ50bftDY/idAhu+PPjJDrax4SwixBCasE/I6MiZLM/UBG7IkJZ q+Lbnir04CW21sLnbOeXND4MtSpB7txbeZOU3v+w+XD62nkkbfehPE4aJ/4C4xzDIeLW3z K8lD0ABkidLZZ257O6O+cmkXR50DcN0GMtoqJDCOSX+GKKTDzGAg9D7g3AbteTKY20SlGw h5lsCWUmbFN6VyyZZo+wqFjifuRxUoA99gTIIzaRJJr5VH2pG1KzqnFWtqxvRDw3jm0Sth mVZ7e8wb08bTtJ8mgFpmmDLUY/gFi/Y13tFQPIlyUPZxWPHSAxfQuqGBndZP6Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1736796211; a=rsa-sha256; cv=none; b=wXARqf/S6/rpucTtydEx1hODxJOQtYdkfOJf/KAk1FRRdiVPu8U9vulKwbVhiXPfESrRj+ 2pXlrQ87GSmGRwzq2IlHEVpZtA/kInhPNbwXLTE5PGaQ2rGqDYGe3g1XQUax0HamLtwgud lBIAzj+sEBGthpGonUW56mOoShGNPnrt10/nPB8X/C9YL4JZvaPG2OEGerqJB+RQJvt3JI jlfzsJVugO2mlKXDNlulVENVLNlUsvF4hM7mUlJS/CRXVAldipV6yRkWhWrnh3GG97Z8gx hTM1W+RL9wDuHbi9fv6StSv1P2weOwvx4bjpKXTe93bW40dE9XGh2RFfv7HeDQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YX2H70gLSzkJX; Mon, 13 Jan 2025 19:23:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50DJNVHo039279; Mon, 13 Jan 2025 19:23:31 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50DJNVnc039276; Mon, 13 Jan 2025 19:23:31 GMT (envelope-from git) Date: Mon, 13 Jan 2025 19:23:31 GMT Message-Id: <202501131923.50DJNVnc039276@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Konstantin Belousov Subject: git: dc37121d3210 - main - ffs_reallocblks(): ensure that pref cg is valid List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kib X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: dc37121d3210d08c96a883ebfed780660e7e2b39 Auto-Submitted: auto-generated The branch main has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=dc37121d3210d08c96a883ebfed780660e7e2b39 commit dc37121d3210d08c96a883ebfed780660e7e2b39 Author: Konstantin Belousov AuthorDate: 2025-01-05 22:51:23 +0000 Commit: Konstantin Belousov CommitDate: 2025-01-13 19:22:54 +0000 ffs_reallocblks(): ensure that pref cg is valid ffs_blkpref_ufsX() must return in-range pref frag number, otherwise calculated cg index is out of range for fs, causing out of range accesses to the structures sized by the number of cg, e.g. the fs_maxcluster[] array in ffs_clusteralloc(). The easiest way to trigger it is to overflow the volume. In collaboration with: pho Reviewed by: mckusick Sponsored by: The FreeBSD Foundation MFC afer: 1 week Differential revision: https://reviews.freebsd.org/D48378 --- sys/ufs/ffs/ffs_alloc.c | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/sys/ufs/ffs/ffs_alloc.c b/sys/ufs/ffs/ffs_alloc.c index 01bfdb85c2e6..265daef14812 100644 --- a/sys/ufs/ffs/ffs_alloc.c +++ b/sys/ufs/ffs/ffs_alloc.c @@ -681,6 +681,7 @@ ffs_reallocblks_ufs1( * groups that we will search. */ cg = dtog(fs, pref); + MPASS(cg < fs->fs_ncg); for (i = min(maxclustersearch, fs->fs_ncg); i > 0; i--) { if ((newblk = ffs_clusteralloc(ip, cg, pref, len)) != 0) break; @@ -947,6 +948,7 @@ ffs_reallocblks_ufs2( * groups that we will search. */ cg = dtog(fs, pref); + MPASS(cg < fs->fs_ncg); for (i = min(maxclustersearch, fs->fs_ncg); i > 0; i--) { if ((newblk = ffs_clusteralloc(ip, cg, pref, len)) != 0) break; @@ -1438,8 +1440,11 @@ ffs_blkpref_ufs1(struct inode *ip, * place it immediately following the last direct block. */ if (indx == -1 && lbn < UFS_NDADDR + NINDIR(fs) && - ip->i_din1->di_db[UFS_NDADDR - 1] != 0) + ip->i_din1->di_db[UFS_NDADDR - 1] != 0) { pref = ip->i_din1->di_db[UFS_NDADDR - 1] + fs->fs_frag; + if (dtog(fs, pref) >= fs->fs_ncg) + pref = 0; + } return (pref); } /* @@ -1450,8 +1455,11 @@ ffs_blkpref_ufs1(struct inode *ip, if (lbn == UFS_NDADDR) { pref = ip->i_din1->di_ib[0]; if (pref != 0 && pref >= cgdata(fs, inocg) && - pref < cgbase(fs, inocg + 1)) + pref < cgbase(fs, inocg + 1)) { + if (dtog(fs, pref + fs->fs_frag) >= fs->fs_ncg) + return (0); return (pref + fs->fs_frag); + } } /* * If we are at the beginning of a file, or we have already allocated @@ -1506,6 +1514,8 @@ ffs_blkpref_ufs1(struct inode *ip, /* * Otherwise, we just always try to lay things out contiguously. */ + if (dtog(fs, prevbn + fs->fs_frag) >= fs->fs_ncg) + return (0); return (prevbn + fs->fs_frag); } @@ -1550,8 +1560,11 @@ ffs_blkpref_ufs2(struct inode *ip, * place it immediately following the last direct block. */ if (indx == -1 && lbn < UFS_NDADDR + NINDIR(fs) && - ip->i_din2->di_db[UFS_NDADDR - 1] != 0) + ip->i_din2->di_db[UFS_NDADDR - 1] != 0) { pref = ip->i_din2->di_db[UFS_NDADDR - 1] + fs->fs_frag; + if (dtog(fs, pref) >= fs->fs_ncg) + pref = 0; + } return (pref); } /* @@ -1562,8 +1575,11 @@ ffs_blkpref_ufs2(struct inode *ip, if (lbn == UFS_NDADDR) { pref = ip->i_din2->di_ib[0]; if (pref != 0 && pref >= cgdata(fs, inocg) && - pref < cgbase(fs, inocg + 1)) + pref < cgbase(fs, inocg + 1)) { + if (dtog(fs, pref + fs->fs_frag) >= fs->fs_ncg) + return (0); return (pref + fs->fs_frag); + } } /* * If we are at the beginning of a file, or we have already allocated @@ -1618,6 +1634,8 @@ ffs_blkpref_ufs2(struct inode *ip, /* * Otherwise, we just always try to lay things out contiguously. */ + if (dtog(fs, prevbn + fs->fs_frag) >= fs->fs_ncg) + return (0); return (prevbn + fs->fs_frag); } @@ -1968,6 +1986,7 @@ ffs_clusteralloc(struct inode *ip, ump = ITOUMP(ip); fs = ump->um_fs; + MPASS(cg < fs->fs_ncg); if (fs->fs_maxcluster[cg] < len) return (0); UFS_UNLOCK(ump);