From toasty@kevinday.com  Fri Feb  1 14:31:49 2002
Return-Path: <toasty@kevinday.com>
Received: from kevinday.com (dsl092-133-149.chi1.dsl.speakeasy.net [66.92.133.149])
	by hub.freebsd.org (Postfix) with ESMTP id 3410537B405
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  1 Feb 2002 14:31:44 -0800 (PST)
Received: (from root@localhost)
	by gw.kevinday.com (8.11.6/8.11.6) id g11NRFu02041;
	Fri, 1 Feb 2002 17:27:15 -0600 (CST)
	(envelope-from toasty)
Message-Id: <200202012327.g11NRFu02041@gw.kevinday.com>
Date: Fri, 1 Feb 2002 17:27:15 -0600 (CST)
From: toasty <toasty@dragondata.com>
Reply-To: toasty <toasty@dragondata.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [PATCH] fsck(8) doesn't account for negative values in some signed fields
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         34539
>Category:       bin
>Synopsis:       [PATCH] fsck(8) doesn't account for negative values in some signed fields
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 01 14:40:02 PST 2002
>Closed-Date:    Sun Dec 01 14:16:09 PST 2002
>Last-Modified:  Sun Dec 01 14:16:09 PST 2002
>Originator:     toasty
>Release:        FreeBSD 4.4-RELEASE i386
>Organization:
DragonData
>Environment:
System: FreeBSD gw.kevinday.com 4.4-RELEASE FreeBSD 4.4-RELEASE #4: Thu Jan 17 23:34:34 CST 2002 toasty@gw.kevinday.com:/usr/src/sys/compile/GW i386

>Description:

In fs.h:


/*
 * Cylinder group block for a file system.
 */
struct cg {
...
        int32_t  cg_rotor;              /* position of last used block */
        int32_t  cg_frotor;             /* position of last used frag */
        int32_t  cg_irotor;             /* position of last used inode */
...
}

these are signed fields, but fsck never checks for negative values. We had a
system crash, and come back with negative values in a few irotor fields on
a FS. Fsck says the FS was fine, but the kernel crashed every time that
CG was used.

I discussed this with a few people. I originally suggested changing this to
an unsigned value, but it was pointed out that NetBSD tried this and it
ended up being quite a bit of work. My patch below checks for
negative numbers, and corrects them.

>How-To-Repeat:
>Fix:

--- pass5.c.orig	Fri Feb  1 17:16:48 2002
+++ pass5.c	Fri Feb  1 17:18:19 2002
@@ -195,15 +195,15 @@
 		newcg->cg_cs.cs_nffree = 0;
 		newcg->cg_cs.cs_nbfree = 0;
 		newcg->cg_cs.cs_nifree = fs->fs_ipg;
-		if (cg->cg_rotor < newcg->cg_ndblk)
+		if ((cg->cg_rotor < newcg->cg_ndblk) && (cg->cg_rotor > 0))
 			newcg->cg_rotor = cg->cg_rotor;
 		else
 			newcg->cg_rotor = 0;
-		if (cg->cg_frotor < newcg->cg_ndblk)
+		if ((cg->cg_frotor < newcg->cg_ndblk) && (cg->cg_frotor > 0))
 			newcg->cg_frotor = cg->cg_frotor;
 		else
 			newcg->cg_frotor = 0;
-		if (cg->cg_irotor < newcg->cg_niblk)
+		if ((cg->cg_irotor < newcg->cg_niblk) && (cg->cg_irotor > 0))
 			newcg->cg_irotor = cg->cg_irotor;
 		else
 			newcg->cg_irotor = 0;
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: iedowse 
State-Changed-When: Sun Dec 1 14:14:59 PST 2002 
State-Changed-Why:  

Fixed by julian in revision 1.17.2.2 of sbin/fsck/pass5.c. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=34539 
>Unformatted:
