d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix off-by-one error in fsck_ffs(8) chkrange() block-number check.

Browse Source 
On an amd64-CURRENT machine with an i-node that refers to a block
number that is one too large will cause a core dump, due to writing
beyond the end of blockmap[] and corrupting the next heap block,
which happens to contain a struct inoinfo in inphash[]. Note that
valgrind catches the blockmap[] access.

Reported by:  Robert Morris
PR:           271289
MFC after:    1 week
Sponsored by: The FreeBSD Foundation
This commit is contained in:
Kirk McKusick 2023-05-09 13:08:10 -07:00
parent 1985585233
commit b3fe5d9322
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sbin/fsck_ffs/inode.c
View File

@ -381,8 +381,8 @@ chkrange(ufs2_daddr_t blk, int cnt)
{
int c;
if (cnt <= 0 || blk <= 0 || blk > maxfsblock ||
cnt - 1 > maxfsblock - blk) {
if (cnt <= 0 || blk <= 0 || blk >= maxfsblock ||
cnt > maxfsblock - blk) {
if (debug)
printf("out of range: blk %ld, offset %i, size %d\n",
(long)blk, (int)fragnum(&sblock, blk), cnt);