From thomas@cuivre.fr.eu.org  Tue Apr  3 15:44:09 2007
Return-Path: <thomas@cuivre.fr.eu.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 081CE16A404
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  3 Apr 2007 15:44:09 +0000 (UTC)
	(envelope-from thomas@cuivre.fr.eu.org)
Received: from melamine.cuivre.fr.eu.org (melusine.cuivre.fr.eu.org [82.225.155.84])
	by mx1.freebsd.org (Postfix) with ESMTP id C1AC513C468
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  3 Apr 2007 15:44:08 +0000 (UTC)
	(envelope-from thomas@cuivre.fr.eu.org)
Received: by melamine.cuivre.fr.eu.org (Postfix, from userid 1000)
	id C39375C1F0; Tue,  3 Apr 2007 17:44:03 +0200 (CEST)
Message-Id: <20070403154403.C39375C1F0@melamine.cuivre.fr.eu.org>
Date: Tue,  3 Apr 2007 17:44:03 +0200 (CEST)
From: Thomas Quinot <thomas@cuivre.fr.eu.org>
Reply-To: Thomas Quinot <thomas@cuivre.fr.eu.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: dump(8) stack corruption
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         111191
>Category:       bin
>Synopsis:       dump(8) stack corruption
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    thomas
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 03 15:50:03 GMT 2007
>Closed-Date:    Thu Apr 12 07:54:18 GMT 2007
>Last-Modified:  Thu Apr 12 08:00:09 GMT 2007
>Originator:     Thomas Quinot
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
>Environment:
System: FreeBSD melamine.cuivre.fr.eu.org 6.2-STABLE FreeBSD 6.2-STABLE #0: Sun Mar 18 12:49:35 CET 2007 thomas@melamine.cuivre.fr.eu.org:/space/build/obj/space/build/src/RELENG_6/sys/SMP i386


	
>Description:
	Under some circumstances, the bread function in dump(8) can corrupt
	the dump process's stack, possibly resulting in an infinite loop.

	Specifically, if bread is called to read a chunk of data entirely
	contained within a block (i.e. base > 0 and resid > 0 and
	base + size < secsize), then xfer is miscomputed as
	secsize - base, and more data is written to the buffer than it can hold.

>How-To-Repeat:
	Probably depends on specific filesystem structure, I encountered
	this situation on an UFS1 FS with the following properties:

magic   11954 (UFS1)    time    Tue Apr  3 17:38:58 2007
id      [ 3d628b58 6f35d1ae ]
ncg     456     size    22447680        blocks  22402990
bsize   16384   shift   14      mask    0xffffc000
fsize   16384   shift   14      mask    0xffffc000
frag    1       shift   0       fsbtodb 5
minfree 8%      optim   time    symlinklen 60
maxbpg  4096    maxcontig 7     contigsumsize 7
nbfree  4609027 ndir    238205  nifree  2822093 nffree  0
cpg     385     bpg     49280   fpg     49280   ipg     12288
nindir  4096    inopb   128     nspf    32      maxfilesize     1126174852055039sbsize  8192    cgsize  16384   cgoffset 128    cgmask  0xffffffff
csaddr  99      cssize  16384
rotdelay 0ms    rps     60      trackskew 0     interleave 1
nsect   4096    npsect  4096    spc     4096
sblkno  1       cblkno  2       iblkno  3       dblkno  99
cgrotor 381     fmod    0       ronly   0       clean   0
avgfpdir 64     avgfilesize 16384
flags   soft-updates
fsmnt   /raid
volname         swuid   0

>Fix:

Index: traverse.c
===================================================================
RCS file: /space/mirror/ncvs/src/sbin/dump/traverse.c,v
retrieving revision 1.36.2.1
diff -u -r1.36.2.1 traverse.c
--- traverse.c	2 May 2006 19:08:36 -0000	1.36.2.1
+++ traverse.c	3 Apr 2007 15:31:33 -0000
@@ -777,7 +777,7 @@
 			cnt = cread(diskfd, tmpbuf, secsize, offset - base);
 			if (cnt != secsize)
 				goto bad;
-			xfer = secsize - base;
+			xfer = MIN(secsize - base, size);
 			offset += xfer;
 			bytes -= xfer;
 			resid = bytes % secsize;
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->thomas 
Responsible-Changed-By: thomas 
Responsible-Changed-When: Tue Apr 3 16:59:56 UTC 2007 
Responsible-Changed-Why:  
I'll take care of this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=111191 
State-Changed-From-To: open->patched 
State-Changed-By: thomas 
State-Changed-When: Thu Apr 5 20:32:02 UTC 2007 
State-Changed-Why:  
Patch committed to HEAD. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=111191 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/111191: commit references a PR
Date: Thu,  5 Apr 2007 20:31:29 +0000 (UTC)

 thomas      2007-04-05 20:31:23 UTC
 
   FreeBSD src repository
 
   Modified files:
     sbin/dump            traverse.c 
   Log:
   (bread): For a read that is contained entirely within a block, never copy
    out more than size bytes to the caller's buffer.
   
   PR:             bin/111191
   Reviewed by:    pb
   MFC after:      1 week
   
   Revision  Changes    Path
   1.40      +1 -1      src/sbin/dump/traverse.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: thomas 
State-Changed-When: Thu Apr 12 07:53:41 UTC 2007 
State-Changed-Why:  
Fix has been MFC'd to RELENG_6. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=111191 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/111191: commit references a PR
Date: Thu, 12 Apr 2007 07:53:17 +0000 (UTC)

 thomas      2007-04-12 07:53:13 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_6)
     sbin/dump            traverse.c 
   Log:
   MFC rev. 1.40:
   (bread): For a read that is contained entirely within a block, never copy
    out more than size bytes to the caller's buffer.
   
   PR:     bin/111191
   
   Revision  Changes    Path
   1.36.2.2  +1 -1      src/sbin/dump/traverse.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
