Subject: bin/5404: fsck_ffs buffer overrun
To: None <gnats-bugs@gnats.netbsd.org>
From: Minoura Makoto <minoura@kw.netlaputa.ne.jp>
List: netbsd-bugs
Date: 05/06/1998 10:34:06
>Number: 5404
>Category: bin
>Synopsis: fsck_ffs buffer overrun
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue May 5 18:50:01 1998
>Last-Modified:
>Originator: Minoura Makoto
>Organization:
MINOURA, Makoto <minoura@kw.netlaputa.ne.jp> or <minoura@kyogoku.com>
Nakahara-ku Kawasaki-Shi, JAPAN
>Release: May 5, 1998
>Environment:
System: NetBSD daisy 1.3E NetBSD 1.3E (DAISY) #55: Sun May 3 20:00:01 JST 1998 root@daisy:/usr/src/sys/arch/i386/compile/DAISY i386
>Description:
fsck_ffs causes `Segmentation fault' in pass 5, fixing
`BLK(S) MISSING IN BIT MAPS' corruption.
>How-To-Repeat:
(gdb) r /dev/rsd2d
Starting program: /usr/src/sbin/fsck_ffs/obj/fsck_ffs /dev/rsd2d
** /dev/rsd2d
** Swapped byte order
** Last Mounted on /a/daisy/vol/mo0
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
BLK(S) MISSING IN BIT MAPS
SALVAGE? [yn] y
Program received signal SIGSEGV, Segmentation fault.
0xd47f in copyback_cg (blk=0x31e3c) at /usr/src/sbin/fsck_ffs/utilities.c:589
589 memcpy(blk->b_un.b_cg, cgrp, SBSIZE);
(gdb) where
#0 0xd47f in copyback_cg (blk=0x31e3c)
at /usr/src/sbin/fsck_ffs/utilities.c:589
#1 0x96c8 in pass5 () at /usr/src/sbin/fsck_ffs/pass5.c:336
#2 0x51e2 in checkfilesys (filesys=0x2c688 "/dev/rsd2d", mntpt=0x0,
auxdata=0, child=0) at /usr/src/sbin/fsck_ffs/main.c:269
#3 0x4d7f in main (argc=2, argv=0xefbfd8b8)
at /usr/src/sbin/fsck_ffs/main.c:167
(gdb) print *blk->b_un.b_cg
$1 = {cg_firstfield = 0, cg_magic = 590421, cg_time = 893931610, cg_cgx = 0,
cg_ncyl = 16, cg_niblk = 128, cg_ndblk = 2000, cg_cs = {cs_ndir = 1,
cs_nbfree = 70, cs_nifree = 117, cs_nffree = 7}, cg_rotor = 1584,
cg_frotor = 56, cg_irotor = 8, cg_frsum = {0, 0, 0, 0, 0, 0, 0, 1},
cg_btotoff = 168, cg_boff = 232, cg_iusedoff = 264, cg_freeoff = 280,
cg_nextfreeoff = 596, cg_clustersumoff = 528, cg_clusteroff = 564,
cg_nclusterblks = 250, cg_sparecon = {0 <repeats 13 times>}, cg_space = ""}
(gdb) print *cgrp
$2 = {cg_firstfield = 0, cg_magic = 590421, cg_time = 893931610, cg_cgx = 0,
cg_ncyl = 16, cg_niblk = 128, cg_ndblk = 2000, cg_cs = {cs_ndir = 1,
cs_nbfree = 70, cs_nifree = 117, cs_nffree = 7}, cg_rotor = 1584,
cg_frotor = 56, cg_irotor = 8, cg_frsum = {0, 0, 0, 0, 0, 0, 0, 1},
cg_btotoff = 168, cg_boff = 232, cg_iusedoff = 264, cg_freeoff = 280,
cg_nextfreeoff = 596, cg_clustersumoff = 528, cg_clusteroff = 564,
cg_nclusterblks = 250, cg_sparecon = {0 <repeats 13 times>}, cg_space = ""}
>Fix:
*** src/sbin/fsck_ffs/utilities.c.orig Mon Mar 30 21:29:15 1998
--- src/sbin/fsck_ffs/utilities.c Wed May 6 10:25:46 1998
***************
*** 586,592 ****
void copyback_cg(blk)
struct bufarea *blk;
{
! memcpy(blk->b_un.b_cg, cgrp, SBSIZE);
if (needswap)
swap_cg(cgrp, blk->b_un.b_cg);
}
--- 586,592 ----
void copyback_cg(blk)
struct bufarea *blk;
{
! memcpy(blk->b_un.b_cg, cgrp, sblock->fs_cgsize);
if (needswap)
swap_cg(cgrp, blk->b_un.b_cg);
}
>Audit-Trail:
>Unformatted: