Subject: kern/31565: disk-bounds check may loose if requested transfer is very big or secsize is not equal 1 << DEV_BSHIFT
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Wolfgang Stukenbrock <wgstuken@s012.nagler-company.com>
List: netbsd-bugs
Date: 10/12/2005 10:10:01
>Number: 31565
>Category: kern
>Synopsis: disk-bounds check may loose if requested transfer is very big or secsize is not equal 1 << DEV_BSHIFT
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Oct 12 10:10:01 +0000 2005
>Originator: Wolfgang Stukenbrock
>Release: NetBSD 2.0.2
>Organization:
Dr. Nagler & Company GmbH
>Environment:
System: NetBSD s012 2.0_RC5 NetBSD 2.0_RC5 (S012) #6: Tue Nov 30 11:38:39 CET 2004 wgstuken@s012:/export/netbsd-2.0rc4/src/sys/arch/i386/compile/S012 i386
Architecture: i386
Machine: i386
>Description:
In file sys/kern/subr_disks.c in the routine bounds_check_with_mediasize()
the local variable used for blocknumber calculation is only of type int.
But the Blocknumber and Blockcounts are int64. This may lead to problems if
very large transfer requests bejong the disk are issued.
A second problem may be the shift constant DEV_BSHIFT used in this routine
when truncating the last request. The parameter secsize should be used here,
because secsize is used before and if secsize != (1 << DEV_BSHIFT) than a
wrong b_count will result here!.
>How-To-Repeat:
I've found this in the source code while searching for an other problem with
diskio at physical block 0x0fffffff.
>Fix:
change size of the local variable sz to daddr_t (or an equivalent 64 bit
type) and replace the shift by a multiply with secsize.