netbsd-bugs: kern/26636: Bad bounds checking on 2048 byte/sector block device

Subject: kern/26636: Bad bounds checking on 2048 byte/sector block device
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <cjs@netbsd.org>
List: netbsd-bugs
Date: 08/13/2004 16:17:34
>Number:         26636
>Category:       kern
>Synopsis:       Bad bounds checking on 2048 byte/sector block device
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Aug 13 07:18:01 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Curt Sampson
>Release:        NetBSD 2.0_BETA Mon Jul 12 01:40:25 UTC 2004
>Organization:
>Environment:
System: NetBSD dev1.tabemo.com 2.0_BETA NetBSD 2.0_BETA (GENERIC) #0: Mon Jul 12 01:40:25 UTC 2004 autobuild@tgm.netbsd.org:/autobuild/netbsd-2-0/i386/OBJ/autobuild/netbsd-2-0/src/sys/arch/i386/compile/GENERIC i386
Architecture: i386
Machine: i386
>Description:
So on a NetBSD-2.0_BETA/i386 system I've got a DVD-RAM disk which is
having a little problem:

    gaadev1 # disklabel -r cd0
    disklabel: Can't read master boot record 0: Invalid argument
    # /dev/rcd0d:
    type: ATAPI
    disk: dvdram
    label: dvdram
    flags: removable
    bytes/sector: 2048
    sectors/track: 100
    tracks/cylinder: 1
    sectors/cylinder: 100
    cylinders: 22368
    total sectors: 2236704
    rpm: 300
    interleave: 1
    trackskew: 0
    cylinderskew: 0
    headswitch: 0           # microseconds
    track-to-track seek: 0  # microseconds
    drivedata: 0

    4 partitions:
    #        size    offset     fstype [fsize bsize cpg/sgs]
     a:   2236700         0     4.2BSD   2048 16384     0  # (Cyl. 0 -  22366)
     d:   2236700         0     unused      0     0        # (Cyl. 0 -  22366)

Raw partition works ok:

    dev1 # dd if=/dev/zero of=/dev/rcd0d bs=2048 seek=2236699 count=1
    1+0 records in
    1+0 records out
    2048 bytes transferred in 0.002 secs (1024000 bytes/sec)

Yet on the a partition:

    dev1 # dd if=/dev/zero of=/dev/rcd0a bs=2048 seek=2236699 count=1
    dd: /dev/rcd0a: Invalid argument
    1+0 records in
    0+0 records out
    0 bytes transferred in 0.002 secs (0 bytes/sec)

However, since 2048 / 512 is 4, let's try 2236700 / 4 = 559175:

    dev1 # dd if=/dev/zero of=/dev/rcd0a bs=2048 seek=559174 count=1
    1+0 records in
    1+0 records out
    2048 bytes transferred in 0.002 secs (1024000 bytes/sec)

and:

    dev1 # dd if=/dev/zero of=/dev/rcd0a bs=2048 seek=559175 count=1
    dd: /dev/rcd0a: end of device
    1+0 records in
    0+0 records out
    0 bytes transferred in 0.001 secs (0 bytes/sec)

Maybe kern/subr_disk_mbr.c:bounds_check_with_label() is not taking the
sector size into account properly?

>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted: