netbsd-bugs: bin/37503: mount_mfs(8) segfaults on -s >=4194297

Subject: bin/37503: mount_mfs(8) segfaults on -s >=4194297
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <zeurkous@nichten.info>
List: netbsd-bugs
Date: 12/08/2007 19:25:00

>Number:         37503
>Category:       bin
>Synopsis:       mount_mfs(8) segfaults on -s >=4194397
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Dec 08 19:25:00 +0000 2007
>Originator:     De Zeurkous
>Release:        NetBSD 4.0_RC5
>Organization:
Korax Productions
	
>Environment:
	
	
System: NetBSD laagdrave.nichten.info 4.0_RC5 NetBSD 4.0_RC5 (GENERIC) #0: Wed Nov 28 13:48:20 PST 2007 builds@wb34:/home/builds/ab/netbsd-4-0-RC5/i386/200711280522Z-obj/home/builds/ab/netbsd-4-0-RC5/src/sys/arch/i386/compile/GENERIC i386
Architecture: i386
Machine: i386
>Description:
	When invoking mount_mfs(8) with a sector count equal to or higher than 4194397, it segfaults:

# mount_mfs -s 4194297 blaat /tmp
[1]   Segmentation fault (core dumped) mount_mfs -s 4194297 blaat /tmp
# df /tmp
Filesystem  1K-blocks      Used     Avail Capacity  Mounted on
/dev/wd0a      381511     26906    335530     7%    /
# mount -v | grep /tmp
# umount -v /tmp
umount: /tmp: not currently mounted

Lower counts seem to work just fine:

# mount_mfs -s 4194296 blaat /tmp
# df /tmp
Filesystem  1K-blocks      Used     Avail Capacity  Mounted on
mfs:674       2064490         2   1961264     0%    /tmp
# mount -v | grep /tmp
# mfs:674 on /tmp type mfs (synchronous, local, fsid: 0xff23/0x78b, reads: sync 1 async 0, writes: sync 0 async 0)
# umount -v /tmp
mfs:674: unmount from /tmp

I've not included the output of the >4194297 case since, except for the parameter, it is identical. Core dump of the very same invocation which output is included above can be found at:

http://www.xs4all.nl/~maribu/devel/NetBSD/mount_mfs/mount_mfs.ding1.core.bz2

Just to be sure, the dmesg can be found here:

http://www.xs4all.nl/~maribu/devel/NetBSD/mount_mfs/mount_mfs.dmesg.gz

Also, the manual page very briefly refers to a '-S secsize' parameter in the description of the '-s' one, but it is not described seperately.   

>How-To-Repeat:
See above.
>Fix:
No fix is currently known.

>Unformatted: