kern/114389: MOKB testcase causes kernel to crash in UFS mount code

Sat Jul 7 19:50:09 UTC 2007

>Number:         114389
>Category:       kern
>Synopsis:       MOKB testcase causes kernel to crash in UFS mount code
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jul 07 19:50:08 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Craig Rodrigues
>Release:        CURRENT
>Organization:
>Environment:
FreeBSD 7.0-CURRENT FreeBSD 7.0-CURRENT #24: Sat Jul  7 15:09:35 EDT 2007     /usr/obj/usr/src/sys/MYKERNEL1  i386

>Description:
The testcase at:
http://projects.info-pull.com/mokb/MOKB-08-11-2006.html

can cause the kernel to crash in the UFS mount code.
>How-To-Repeat:
(1) fetch http://projects.info-pull.com/mokb/bug-files/MOKB-08-11-2006.img.bz2
(2) bunzip2 MOKB-08-11-2006.img.bz2
(3) mdconfig -a -t vnode -f ./MOKB-08-11-2006.img -u 0
(4) mount /dev/md0 /mnt
>Fix:
See attached patch.

Patch attached with submission follows:

Index: ffs_vnops.c
===================================================================
RCS file: /home/ncvs/src/sys/ufs/ffs/ffs_vnops.c,v
retrieving revision 1.172
diff -u -u -r1.172 ffs_vnops.c

--- ffs_vnops.c	12 Jun 2007 00:12:01 -0000	1.172
+++ ffs_vnops.c	7 Jul 2007 19:46:36 -0000
@@ -1192,14 +1192,18 @@
 {
 	struct inode *ip;
 	struct ufs2_dinode *dp;
+	struct fs *fs;
 	struct uio luio;
 	struct iovec liovec;
 	int easize, error;
 	u_char *eae;
 
 	ip = VTOI(vp);
+	fs = ip->i_fs;
 	dp = ip->i_din2;
 	easize = dp->di_extsize;
+	if ((uoff_t)(easize + extra) > NXADDR * fs->fs_bsize)
+		return (EFBIG);
 
 	eae = malloc(easize + extra, M_TEMP, M_WAITOK);
 


>Release-Note:
>Audit-Trail:
>Unformatted:
