netbsd-bugs: bin/5404: fsck_ffs buffer overrun

Subject: bin/5404: fsck_ffs buffer overrun
To: None <gnats-bugs@gnats.netbsd.org>
From: Minoura Makoto <minoura@kw.netlaputa.ne.jp>
List: netbsd-bugs
Date: 05/06/1998 10:34:06
>Number:         5404
>Category:       bin
>Synopsis:       fsck_ffs buffer overrun
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue May  5 18:50:01 1998
>Last-Modified:
>Originator:     Minoura Makoto
>Organization:
MINOURA, Makoto <minoura@kw.netlaputa.ne.jp> or <minoura@kyogoku.com>
Nakahara-ku Kawasaki-Shi, JAPAN
>Release:        May 5, 1998
>Environment:
System: NetBSD daisy 1.3E NetBSD 1.3E (DAISY) #55: Sun May 3 20:00:01 JST 1998 root@daisy:/usr/src/sys/arch/i386/compile/DAISY i386


>Description:
	fsck_ffs causes `Segmentation fault' in pass 5, fixing
	`BLK(S) MISSING IN BIT MAPS' corruption.
>How-To-Repeat:
(gdb) r /dev/rsd2d
Starting program: /usr/src/sbin/fsck_ffs/obj/fsck_ffs /dev/rsd2d
** /dev/rsd2d
** Swapped byte order
** Last Mounted on /a/daisy/vol/mo0
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
BLK(S) MISSING IN BIT MAPS
SALVAGE? [yn] y


Program received signal SIGSEGV, Segmentation fault.
0xd47f in copyback_cg (blk=0x31e3c) at /usr/src/sbin/fsck_ffs/utilities.c:589
589             memcpy(blk->b_un.b_cg, cgrp, SBSIZE);
(gdb) where
#0  0xd47f in copyback_cg (blk=0x31e3c)
    at /usr/src/sbin/fsck_ffs/utilities.c:589
#1  0x96c8 in pass5 () at /usr/src/sbin/fsck_ffs/pass5.c:336
#2  0x51e2 in checkfilesys (filesys=0x2c688 "/dev/rsd2d", mntpt=0x0, 
    auxdata=0, child=0) at /usr/src/sbin/fsck_ffs/main.c:269
#3  0x4d7f in main (argc=2, argv=0xefbfd8b8)
    at /usr/src/sbin/fsck_ffs/main.c:167
(gdb) print *blk->b_un.b_cg
$1 = {cg_firstfield = 0, cg_magic = 590421, cg_time = 893931610, cg_cgx = 0, 
  cg_ncyl = 16, cg_niblk = 128, cg_ndblk = 2000, cg_cs = {cs_ndir = 1, 
    cs_nbfree = 70, cs_nifree = 117, cs_nffree = 7}, cg_rotor = 1584, 
  cg_frotor = 56, cg_irotor = 8, cg_frsum = {0, 0, 0, 0, 0, 0, 0, 1}, 
  cg_btotoff = 168, cg_boff = 232, cg_iusedoff = 264, cg_freeoff = 280, 
  cg_nextfreeoff = 596, cg_clustersumoff = 528, cg_clusteroff = 564, 
  cg_nclusterblks = 250, cg_sparecon = {0 <repeats 13 times>}, cg_space = ""}
(gdb) print *cgrp
$2 = {cg_firstfield = 0, cg_magic = 590421, cg_time = 893931610, cg_cgx = 0, 
  cg_ncyl = 16, cg_niblk = 128, cg_ndblk = 2000, cg_cs = {cs_ndir = 1, 
    cs_nbfree = 70, cs_nifree = 117, cs_nffree = 7}, cg_rotor = 1584, 
  cg_frotor = 56, cg_irotor = 8, cg_frsum = {0, 0, 0, 0, 0, 0, 0, 1}, 
  cg_btotoff = 168, cg_boff = 232, cg_iusedoff = 264, cg_freeoff = 280, 
  cg_nextfreeoff = 596, cg_clustersumoff = 528, cg_clusteroff = 564, 
  cg_nclusterblks = 250, cg_sparecon = {0 <repeats 13 times>}, cg_space = ""}

>Fix:
*** src/sbin/fsck_ffs/utilities.c.orig	Mon Mar 30 21:29:15 1998
--- src/sbin/fsck_ffs/utilities.c	Wed May  6 10:25:46 1998
***************
*** 586,592 ****
  void copyback_cg(blk)
  	struct bufarea *blk;
  {
! 	memcpy(blk->b_un.b_cg, cgrp, SBSIZE);
  	if (needswap)
  		swap_cg(cgrp, blk->b_un.b_cg);
  }
--- 586,592 ----
  void copyback_cg(blk)
  	struct bufarea *blk;
  {
! 	memcpy(blk->b_un.b_cg, cgrp, sblock->fs_cgsize);
  	if (needswap)
  		swap_cg(cgrp, blk->b_un.b_cg);
  }
>Audit-Trail:
>Unformatted: