netbsd-bugs: bin/22123: fsck_lfs(8) dumps core if superblock contains some garbage

Subject: bin/22123: fsck_lfs(8) dumps core if superblock contains some garbage
To: None <gnats-bugs@gnats.netbsd.org>
From: None <tsutsui@ceres.dti.ne.jp>
List: netbsd-bugs
Date: 07/12/2003 06:00:06

>Number:         22123
>Category:       bin
>Synopsis:       fsck_lfs(8) dumps core if superblock contains some garbage
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jul 11 21:01:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Izumi Tsutsui
>Release:        NetBSD 1.6U 20030705
>Organization:
>Environment:
System: NetBSD mirage 1.6U
Architecture: hp300
Machine: m68k
>Description:
fsck_lfs(8) dumps core if superblock contains some garbage in unused area.

fsck_lfs(8) initializes struct lfs *fs in lfs.c:lfs_init() and
it reads superblock from the partition, but some members
following lfs_dlfs (on-disk superblock) are not initialized.
Some of these uninitialized members (lfs_activesb, lfs_seglock)
are refered in fsck_lfs(8), so it causes unexpected behavior
(i.e. coredump).

>How-To-Repeat:
Try newfs_lfs(8) and fsck_lfs(8) against "dirty" partitions.

>Fix:
Initialize some members in struct lfs in lfs.c:lfs_init():

Index: lfs.c
===================================================================
RCS file: /cvsroot/src/sbin/fsck_lfs/lfs.c,v
retrieving revision 1.3
diff -u -r1.3 lfs.c
--- lfs.c	2003/05/08 18:39:09	1.3
+++ lfs.c	2003/07/11 20:42:34
@@ -476,7 +476,7 @@
 	}
 	error = bread(devvp, sblkno, LFS_SBPAD, NOCRED, &bp);
 	fs = (struct lfs *) malloc(sizeof(*fs));
-	*fs = *((struct lfs *) bp->b_data);
+	fs->lfs_dlfs = *((struct dlfs *) bp->b_data);
 	fs->lfs_unlockvp = devvp;
 	bp->b_flags |= B_INVAL;
 	brelse(bp);
@@ -484,8 +484,8 @@
 	if (tryalt) {
 		error = bread(devvp, fsbtodb(fs, fs->lfs_sboffs[1]),
 		    LFS_SBPAD, NOCRED, &bp);
-		altfs = (struct lfs *) malloc(sizeof(*fs));
-		*altfs = *((struct lfs *) bp->b_data);
+		altfs = (struct lfs *) malloc(sizeof(*altfs));
+		altfs->lfs_dlfs = *((struct dlfs *) bp->b_data);
 		altfs->lfs_unlockvp = devvp;
 		bp->b_flags |= B_INVAL;
 		brelse(bp);
@@ -523,6 +523,9 @@
 		fs->lfs_tstamp = fs->lfs_otstamp;
 		fs->lfs_fsbtodb = 0;
 	}
+	fs->lfs_iocount = 0;
+	fs->lfs_activesb = 0;
+	fs->lfs_seglock = 0;
 	fs->lfs_suflags = (u_int32_t **) malloc(2 * sizeof(u_int32_t *));
 	fs->lfs_suflags[0] = (u_int32_t *) malloc(fs->lfs_nseg * sizeof(u_int32_t));
 	fs->lfs_suflags[1] = (u_int32_t *) malloc(fs->lfs_nseg * sizeof(u_int32_t));
>Release-Note:
>Audit-Trail:
>Unformatted: