From 6a71277c3037df2c3a70464c2e2bf20dec2c128a Mon Sep 17 00:00:00 2001
From: Kirk McKusick <mckusick@FreeBSD.org>
Date: Mon, 29 May 2023 14:58:20 -0700
Subject: [PATCH] Fix a bug in fsck_ffs(8) triggered by corrupted filesystems.

When loading the root directory ensure that it is a directory
and has a size greater than the minimum directory size. If an
invalid root directory is found, fall back to full fsck.

Reported-by:  Robert Morris
PR:           271414
MFC-after:    1 week
Sponsored-by: The FreeBSD Foundation
---
 sbin/fsck_ffs/suj.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/sbin/fsck_ffs/suj.c b/sbin/fsck_ffs/suj.c
index c86d6b711635..1e935b864b7c 100644
--- a/sbin/fsck_ffs/suj.c
+++ b/sbin/fsck_ffs/suj.c
@@ -2377,7 +2377,7 @@ suj_check(const char *filesys)
 {
 	struct inodesc idesc;
 	struct csum *cgsum;
-	union dinode *jip;
+	union dinode *dp, *jip;
 	struct inode ip;
 	uint64_t blocks;
 	int i, retval;
@@ -2419,7 +2419,17 @@ suj_check(const char *filesys)
 	idesc.id_func = findino;
 	idesc.id_name = SUJ_FILE;
 	ginode(UFS_ROOTINO, &ip);
-	if ((ckinode(ip.i_dp, &idesc) & FOUND) == FOUND) {
+	dp = ip.i_dp;
+	if ((DIP(dp, di_mode) & IFMT) != IFDIR) {
+		irelse(&ip);
+		err_suj("root inode is not a directory\n");
+	}
+	if (DIP(dp, di_size) < 0 || DIP(dp, di_size) > MAXDIRSIZE) {
+		irelse(&ip);
+		err_suj("negative or oversized root directory %jd\n",
+		    (uintmax_t)DIP(dp, di_size));
+	}
+	if ((ckinode(dp, &idesc) & FOUND) == FOUND) {
 		sujino = idesc.id_parent;
 		irelse(&ip);
 	} else {