bin/85494: fsck_ffs: unchecked use of cg_inosused macro etc.

Nate Eldredge nge at
Tue Aug 30 18:30:24 GMT 2005

>Number:         85494
>Category:       bin
>Synopsis:       fsck_ffs: unchecked use of cg_inosused macro etc.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 30 18:30:21 GMT 2005
>Originator:     Nate Eldredge
>Release:        FreeBSD 5.4-RELEASE-p3 i386
System: FreeBSD mercury.lan 5.4-RELEASE-p3 FreeBSD 5.4-RELEASE-p3 #1: Wed Jun 29 18:04:58 PDT 2005 nate at mercury.lan:/medium/obj/medium/src/sys/MERCURY i386


When fsck_ffs is checking a file system, one of the passes is to check the
cylinder groups and see if the various bitmaps are correct.  For example, on
line 325 of pass5.c it looks at cg_inosused(cg).  cg has been read from the
disk, and cg_inosused is a pointer to cg->cg_iusedoff bytes past cg.  (Defined
in <ufs/ffs/fs.h>.)  Presumably the inosused bitmap is supposed to be in the
same block as the cg structure.  However, if the cylinder group header is
corrupt, cg->cg_iusedoff could be anything and thus cg_inosused(cg) will be a
bogus pointer, and fsck_ffs will crash.  Possibly there is no reasonable way for
fsck_ffs to handle such corruption, but it still shouldn't segfault IMHO. 

Other uses of the cg_* macros are also suspect, and there may be other errors of
the same sort throughout fsck.  dumpfs has similar bugs.


I have a filesystem image which crashes fsck_ffs because of this bug.  However,
the image is 1G and may contain some sensitive data (it's a corrupt /var) so I
would rather not make it available.  I can try to explain the problem further if


Check cg->iusedoff for sanity before trying to use it.  For instance, make sure
it points within the block that's been read from the disk.


More information about the freebsd-bugs mailing list