[Bug 271289] off-by-one error in fsck_ffs chkrange() block-number check

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 06 May 2023 21:00:50 UTC

            Bug ID: 271289
           Summary: off-by-one error in fsck_ffs chkrange() block-number
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 242024
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=242024&action=edit
broken ffs image that causes off-by-one block-number check error in fsck

In this code in src/sbin/fsck_ffs/inode.c, I think the "blk >
maxfsblock" should be >=. The cnt - 1 ... check also looks off by one.

chkrange(ufs2_daddr_t blk, int cnt)
        int c;

        if (cnt <= 0 || blk <= 0 || blk > maxfsblock ||
            cnt - 1 > maxfsblock - blk) {
                if (debug)
                        printf("out of range: blk %ld, offset %i, size %d\n",
                            (long)blk, (int)fragnum(&sblock, blk), cnt);
                return (1);

I've attached a broken file-system image with an i-node that refers to
a block number that's one too large (64):

% cp fsck4b.img junk
% fsck_ffs -y junk

On my CURRENT amd64 machine this yields a core dump, due to writing
beyond the end of blockmap[] and corrupting the next heap block, which
happens to contain a struct inoinfo in inphash[]. valgrind catches
the blockmap[] access.

You are receiving this mail because:
You are the assignee for the bug.