From nge@cs.hmc.edu  Tue Aug 30 18:20:23 2005
Return-Path: <nge@cs.hmc.edu>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CC05A16A425
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 30 Aug 2005 18:20:20 +0000 (GMT)
	(envelope-from nge@cs.hmc.edu)
Received: from smtp101.sbc.mail.mud.yahoo.com (smtp101.sbc.mail.mud.yahoo.com [68.142.198.200])
	by mx1.FreeBSD.org (Postfix) with SMTP id E30E443F91
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 30 Aug 2005 18:13:29 +0000 (GMT)
	(envelope-from nge@cs.hmc.edu)
Received: (qmail 83392 invoked from network); 30 Aug 2005 18:13:20 -0000
Received: from unknown (HELO mercury.lan) (nattylite@sbcglobal.net@63.206.48.95 with login)
  by smtp101.sbc.mail.mud.yahoo.com with SMTP; 30 Aug 2005 18:13:20 -0000
Received: from mercury.lan (localhost [127.0.0.1])
	by mercury.lan (8.13.3/8.13.3) with ESMTP id j7UIDJj3020516
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 30 Aug 2005 11:13:19 -0700 (PDT)
	(envelope-from nate@mercury.lan)
Received: (from nate@localhost)
	by mercury.lan (8.13.3/8.13.3/Submit) id j7UIDIAw020515;
	Tue, 30 Aug 2005 11:13:18 -0700 (PDT)
	(envelope-from nate)
Message-Id: <200508301813.j7UIDIAw020515@mercury.lan>
Date: Tue, 30 Aug 2005 11:13:18 -0700 (PDT)
From: Nate Eldredge <nge@cs.hmc.edu>
Reply-To: Nate Eldredge <nge@cs.hmc.edu>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: fsck_ffs: unchecked use of cg_inosused macro etc.
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         85494
>Category:       bin
>Synopsis:       fsck_ffs: unchecked use of cg_inosused macro etc.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-fs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 30 18:30:21 GMT 2005
>Closed-Date:    
>Last-Modified:  Fri Sep 24 20:50:16 UTC 2010
>Originator:     Nate Eldredge
>Release:        FreeBSD 5.4-RELEASE-p3 i386
>Organization:
>Environment:
System: FreeBSD mercury.lan 5.4-RELEASE-p3 FreeBSD 5.4-RELEASE-p3 #1: Wed Jun 29 18:04:58 PDT 2005 nate@mercury.lan:/medium/obj/medium/src/sys/MERCURY i386


	
>Description:

When fsck_ffs is checking a file system, one of the passes is to check the
cylinder groups and see if the various bitmaps are correct.  For example, on
line 325 of pass5.c it looks at cg_inosused(cg).  cg has been read from the
disk, and cg_inosused is a pointer to cg->cg_iusedoff bytes past cg.  (Defined
in <ufs/ffs/fs.h>.)  Presumably the inosused bitmap is supposed to be in the
same block as the cg structure.  However, if the cylinder group header is
corrupt, cg->cg_iusedoff could be anything and thus cg_inosused(cg) will be a
bogus pointer, and fsck_ffs will crash.  Possibly there is no reasonable way for
fsck_ffs to handle such corruption, but it still shouldn't segfault IMHO. 

Other uses of the cg_* macros are also suspect, and there may be other errors of
the same sort throughout fsck.  dumpfs has similar bugs.

>How-To-Repeat:

I have a filesystem image which crashes fsck_ffs because of this bug.  However,
the image is 1G and may contain some sensitive data (it's a corrupt /var) so I
would rather not make it available.  I can try to explain the problem further if
necessary.

>Fix:

Check cg->iusedoff for sanity before trying to use it.  For instance, make sure
it points within the block that's been read from the disk.


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-fs 
Responsible-Changed-By: brucec 
Responsible-Changed-When: Fri Sep 24 20:49:57 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=85494 
>Unformatted:
