[Bug 277237] fatblock() should call ulmin() rather than min()

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 23 Feb 2024 10:27:16 UTC

            Bug ID: 277237
           Summary: fatblock() should call ulmin() rather than min()
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

In this line in msdosfs_fat.c's fatblock():

        size = roundup(min(fatblocksec, pmp->pm_FATsecs - bn) * DEV_BSIZE,
            pmp->pm_BlkPerSec * DEV_BSIZE);

It should probably be ulmin().

I've attached a corrupt FAT32 image that trips over this. FATsecs is
0x100000000, which passes the != 0 test in mountmsdosfs(), but looks
like zero when cast to 32 bits to pass to min(). The result is a zero
bsize passed to bread() by fillinusemap(), causing bread() to return
no error but a bp->b_data that points to unmapped memory.

# uname -a
FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #17
main-n265546-d06328c37bbc: Tue Sep 26 20:08:23 AST 2023    
root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
# gunzip fat6a.img.gz
# mdconfig -f fat6a.img
# mount_msdosfs /dev/md0 /mnt
panic: vm_fault_lookup: fault on nofault entry, addr: 0xfffffe0020d3c000
cpuid = 4
time = 1708682767
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01017f0470
vpanic() at vpanic+0x132/frame 0xfffffe01017f05a0
panic() at panic+0x43/frame 0xfffffe01017f0600
vm_fault() at vm_fault+0x18c9/frame 0xfffffe01017f0730
vm_fault_trap() at vm_fault_trap+0x6f/frame 0xfffffe01017f0770
trap_pfault() at trap_pfault+0x24a/frame 0xfffffe01017f07e0
calltrap() at calltrap+0x8/frame 0xfffffe01017f07e0
--- trap 0xc, rip = 0xffffffff809dd295, rsp = 0xfffffe01017f08b0, rbp =
0xfffffe01017f08e0 ---
fillinusemap() at fillinusemap+0x235/frame 0xfffffe01017f08e0
mountmsdosfs() at mountmsdosfs+0x864/frame 0xfffffe01017f0980
msdosfs_mount() at msdosfs_mount+0x45d/frame 0xfffffe01017f0ac0
vfs_domount_first() at vfs_domount_first+0x258/frame 0xfffffe01017f0c00
vfs_domount() at vfs_domount+0x315/frame 0xfffffe01017f0d20
vfs_donmount() at vfs_donmount+0x912/frame 0xfffffe01017f0dc0
sys_nmount() at sys_nmount+0x6c/frame 0xfffffe01017f0e00
amd64_syscall() at amd64_syscall+0x14f/frame 0xfffffe01017f0f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01017f0f30
--- syscall (378, FreeBSD ELF64, nmount), rip = 0x16e644522a2a, rsp =
0x16e6425ccb58, rbp = 0x16e6425cd1d0 ---

You are receiving this mail because:
You are the assignee for the bug.