Commit Graph

86 Commits

Author SHA1 Message Date
Kirk McKusick
0061238fb0 This update eliminates a kernel stack disclosure bug in UFS/FFS
directory entries that is caused by uninitialized directory entry
padding written to the disk. It can be viewed by any user with read
access to that directory. Up to 3 bytes of kernel stack are disclosed
per file entry, depending on the the amount of padding the kernel
needs to pad out the entry to a 32 bit boundry. The offset in the
kernel stack that is disclosed is a function of the filename size.
Furthermore, if the user can create files in a directory, this 3
byte window can be expanded 3 bytes at a time to a 254 byte window
with 75% of the data in that window exposed. The additional exposure
is done by removing the entry, creating a new entry with a 4-byte
longer name, extracting 3 more bytes by reading the directory, and
repeating until a 252 byte name is created.

This exploit works in part because the area of the kernel stack
that is being disclosed is in an area that typically doesn't change
that often (perhaps a few times a second on a lightly loaded system),
and these file creates and unlinks themselves don't overwrite the
area of kernel stack being disclosed.

It appears that this bug originated with the creation of the Fast
File System in 4.1b-BSD (Circa 1982, more than 36 years ago!), and
is likely present in every Unix or Unix-like system that uses
UFS/FFS. Amazingly, nobody noticed until now.

This update also adds the -z flag to fsck_ffs to have it scrub
the leaked information in the name padding of existing directories.
It only needs to be run once on each UFS/FFS filesystem after a
patched kernel is installed and running.

Submitted by: David G. Lawrence <dg@dglawrence.com>
Reviewed by:  kib
MFC after:    1 week
2019-05-03 21:54:14 +00:00
Kirk McKusick
8f829a5cf0 Continuing efforts to provide hardening of FFS. This change adds a
check hash to the filesystem inodes. Access attempts to files
associated with an inode with an invalid check hash will fail with
EINVAL (Invalid argument). Access is reestablished after an fsck
is run to find and validate the inodes with invalid check-hashes.
This check avoids a class of filesystem panics related to corrupted
inodes. The hash is done using crc32c.

Note this check-hash is for the inode itself and not any of its
indirect blocks. Check-hash validation may be extended to also
cover indirect block pointers, but that will be a separate (and
more costly) feature.

Check hashes are added only to UFS2 and not to UFS1 as UFS1 is
primarily used in embedded systems with small memories and low-powered
processors which need as light-weight a filesystem as possible.

Reviewed by:  kib
Tested by:    Peter Holm
Sponsored by: Netflix
2018-12-11 22:14:37 +00:00
Kirk McKusick
9fc5d538fc In preparation for adding inode check-hashes, clean up and
document the libufs interface for fetching and storing inodes.
The undocumented getino / putino interface has been replaced
with a new getinode / putinode interface.

Convert the utilities that had been using the undocumented
interface to use the new documented interface.

No functional change (as for now the libufs library does not
do inode check-hashes).

Reviewed by:  kib
Tested by:    Peter Holm
Sponsored by: Netflix
2018-11-13 21:40:56 +00:00
Kirk McKusick
ec888383cf Continuing efforts to provide hardening of FFS, this change adds a
check hash to the superblock. If a check hash fails when an attempt
is made to mount a filesystem, the mount fails with EINVAL (Invalid
argument). This avoids a class of filesystem panics related to
corrupted superblocks. The hash is done using crc32c.

Check hases are added only to UFS2 and not to UFS1 as UFS1 is primarily
used in embedded systems with small memories and low-powered processors
which need as light-weight a filesystem as possible.

Reviewed by:  kib
Tested by:    Peter Holm
Sponsored by: Netflix
2018-10-23 21:10:06 +00:00
Kirk McKusick
31461aa2f1 Include files missed in 329051. 2018-02-08 23:14:24 +00:00
David Bright
469759f8e4 Exit fsck_ffs with non-zero status when file system is not repaired.
When the fsck_ffs program cannot fully repair a file system, it will
output the message PLEASE RERUN FSCK. However, it does not exit with a
non-zero status in this case (contradicting the man page claim that it
"exits with 0 on success, and >0 if an error occurs."  The fsck
rc-script (when running "fsck -y") tests the status from fsck (which
passes along the exit status from fsck_ffs) and issues a "stop_boot"
if the status fails. However, this is not effective since fsck_ffs can
return zero even on (some) errors. Effectively, it is left to a later
step in the boot process when the file systems are mounted to detect
the still-unclean file system and stop the boot.

This change modifies fsck_ffs so that when it cannot fully repair the
file system and issues the PLEASE RERUN FSCK message it also exits
with a non-zero status.

While here, the fsck_ffs man page has also been updated to document
the failing exit status codes used by fsck_ffs. Previously, only exit
status 7 was documented. Some of these exit statuses are tested for in
the fsck rc-script, so they are clearly depended upon and deserve
documentation.

Reviewed by:	mckusick, vangyzen, jilles (manpages)
MFC after:	1 week
Sponsored by:	Dell EMC
Differential Revision:	https://reviews.freebsd.org/D13862
2018-01-15 19:25:11 +00:00
Pedro F. Giffuni
8a16b7a18f General further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 3-Clause license.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
2017-11-20 19:49:47 +00:00
Kirk McKusick
918820682e Do not report the filesystem as modified when the only change is to
update the timestamp in the superblock.

Reported by:	Peter Holm
MFC after:	1 week
2017-10-09 22:19:58 +00:00
Warner Losh
fbbd9655e5 Renumber copyright clause 4
Renumber cluase 4 to 3, per what everybody else did when BSD granted
them permission to remove clause 3. My insistance on keeping the same
numbering for legal reasons is too pedantic, so give up on that point.

Submitted by:	Jan Schaumann <jschauma@stevens.edu>
Pull Request:	https://github.com/freebsd/freebsd/pull/96
2017-02-28 23:42:47 +00:00
Ed Maste
1dc349ab95 prefix UFS symbols with UFS_ to reduce namespace pollution
Specifically:
  ROOTINO -> UFS_ROOTINO
  WINO -> UFS_WINO
  NXADDR -> UFS_NXADDR
  NDADDR -> UFS_NDADDR
  NIADDR -> UFS_NIADDR
  MAXSYMLINKLEN_UFS[12] -> UFS[12]_MAXSYMLINKLEN (for consistency)

Also prefix ext2's and nandfs's NDADDR and NIADDR with EXT2_ and NANDFS_

Reviewed by:	kib, mckusick
Obtained from:	NetBSD
MFC after:	1 month
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D9536
2017-02-15 19:50:26 +00:00
Renato Botelho
db83b1436a * Add missing parameters to usage()
* Add missing parameters to manpage synopsis
* Add missing description of -d flag
* Sort flags descriptions

Reviewed by:	allanjude, kib
Approved by:	allanjude
MFC after:	1 week
Sponsored by:	Rubicon Communications (Netgate)
Differential Revision:	https://reviews.freebsd.org/D9152
2017-02-14 21:14:24 +00:00
Kirk McKusick
6a5972db72 Fsck_ufs was using an int rather than a ufs2_daddr_t to store the
alternate superblock location when given in the -b option. When int
is 32-bits, block numbers larger than 2^32 would get truncated. This
commit changes the storage fpr the alternate superblock location
to a ufs2_daddr_t.

Submitted by: Dmitry Sivachenko <trtrmitya@gmail.com>
2016-08-19 00:03:41 +00:00
Conrad Meyer
333d028407 fsck_ffs: Don't overrun mount device buffer
Maybe this case is impossible.  Either way, when attempting to "/dev/"-prefix a
non-global device name, check that we do not overrun the f_mntfromname buffer.

In this case, truncating (with strlcpy or similar) would not be useful, since
the f_mntfromname result of getmntpt() is passed directly to open(2) later.

Reported by:	Coverity
CID:		1006789
Sponsored by:	EMC / Isilon Storage Division
2016-05-11 16:20:23 +00:00
Pedro F. Giffuni
7d5e656214 fsck_ffs for pointers replace 0 with NULL.
Found with devel/coccinelle.

Reviewed by:	mckusick
2016-04-12 22:55:47 +00:00
Scott Long
7703a6ff27 Add the -R option to allow fsck_ffs to restart itself when too many critical
errors have been detected in a particular run.

Clean up the global state variables so that a restart can happen correctly.

Separate the global variables in fsck_ffs and fsdb to their own file.  This
fixes header sharing with fscd.

Correctly initialize, static-ize, and remove global variables as needed in
dir.c.  This fixes a problem with lost+found directories that was causing
a segfault.

Correctly initialize, static-ize, and remove global variables as needed in
suj.c.

Initialize the suj globals before allocating the disk object, not after.
Also ensure that 'preen' mode doesn't conflict with 'restart' mode

Submitted by:	scottl, max
Reviewed by:	max, mckusick (earlier version)
Obtained from:	Netflix
MFC after:	3 days
2013-12-30 01:16:08 +00:00
Scott Long
ce779f3756 Add a 'surrender' mode to fsck_ffs. With the -S flag, once hard read errors
are encountered, the fsck will stop instead of wasting time chewing through
possibly other errors.

Obtained from:	Netflix
MFC after:	3 days
2013-07-30 22:57:12 +00:00
Dag-Erling Smørgrav
2b5373de83 Add a -Z option which zeroes unused blocks. It can be combined with -E,
in which case unused blocks are first zeroed and then erased.

Reviewed by:	mckusick
MFC after:	3 weeks
2013-04-29 20:13:09 +00:00
Kirk McKusick
ed75b5a156 When running with the -d option, instrument fsck_ffs to track the number,
data type, and running time of its I/O operations.

No functional changes.
2013-02-24 06:44:29 +00:00
Matthew D Fleming
a1c9ec3ce0 Fix some nearby type and style errors.
Pointed out by:	bde
2012-09-28 17:34:34 +00:00
Matthew D Fleming
623d7cb663 Fix fsck_ffs build with a 64-bit ino_t.
Original code by:	Gleb Kurtsou
2012-09-27 23:30:58 +00:00
David E. O'Brien
bd3c72d0d8 Simply printf-like strings and outdent strings so that it is easy to see
if they fit on a standard terminal.
2012-09-12 14:59:57 +00:00
Dag-Erling Smørgrav
1d449f95f2 Forgot this nit in r221107.
Approved by:	re (kib)
2011-09-03 03:12:33 +00:00
Dag-Erling Smørgrav
8d3dfc2691 Add an -E option to mirror newfs's. The idea is that if you have a system
that was built before ffs grew support for TRIM, your filesystem will have
plenty of free blocks that the flash chip doesn't know are free, so it
can't take advantage of them for wear leveling.  Once you've upgraded your
kernel, you enable TRIM on the filesystem (tunefs -t enable), then run
fsck_ffs -E on it before mounting it.

I tested this patch by half-filling an mdconfig'ed filesystem image,
running fsck_ffs -E on it, then verifying that the contents were not
damaged by comparing them to a pristine copy using rsync's checksum
functionality.  There is no reliable way to test it on real hardware.

Many thanks to mckusick@, who provided the tricky parts of this patch and
reviewed the final version.

Reviewed by:	mckusick@
MFC after:	3 weeks
2011-04-29 23:00:23 +00:00
Dag-Erling Smørgrav
d40c066473 Mechanical whitespace cleanup.
MFC after:	3 weeks
2011-04-27 02:55:03 +00:00
Kirk McKusick
7649cb0043 The dump, fsck_ffs, fsdb, fsirand, newfs, makefs, and quot utilities
include sys/time.h instead of time.h. This include is incorrect as
per the manpages for the APIs and the POSIX definitions. This commit
replaces sys/time.h where necessary with time.h.

The commit also includes some minor style(9) header fixup in newfs.

This commit is part of a larger effort by Garrett Cooper started in
//depot/user/gcooper/posix-conformance-work/ -- to make FreeBSD more
POSIX compliant.

Submitted by:  Garrett Cooper   yanegomi at gmail dot com
2011-01-24 06:17:05 +00:00
Bjoern A. Zeeb
08bb15b96f One question mark per question; everything else is just exaggerating.
reply() will output a '?', when printing the question along with [yn],
so no need to have another here.
2010-08-03 09:21:13 +00:00
Xin LI
edad602637 Improve fsck robustness for SU+J cases:
- Use err/errx only when the case is really fatal.  For other
   cases, fall back to full fsck instead of quiting fsck.
 - Plug a memory leak.
 - Avoid divide by zero when printing summary.
 - Output "FILE SYSTEM IS MARKED CLEAN" when a successful
   journal recovering is done.
 - When -f is specified, do full fsck instead of journal recovery.
2010-06-22 00:26:07 +00:00
Jeff Roberson
113db2dddb - Merge soft-updates journaling from projects/suj/head into head. This
brings in support for an optional intent log which eliminates the need
   for background fsck on unclean shutdown.

Sponsored by:   iXsystems, Yahoo!, and Juniper.
With help from: McKusick and Peter Holm
2010-04-24 07:05:35 +00:00
Kirk McKusick
21be55cc4b Add some error messages suggested in PR bin/138043. The code to
correct the problem was added in r176575 by delphij on 2008-02-25.

PR:		138043
Reported by:	Heikki Suonsivu
2010-01-07 01:10:49 +00:00
Kirk McKusick
910b491e7e Update the actions previously attempted by the -D option to make them
robust. With these changes fsck is now able to detect and reliably
rebuild corrupted cylinder group maps. The -D option is no longer
necessary as it has been replaced by a prompt asking whether the
corrupted cylinder group should be rebuilt and doing so when requested.
These actions are only offered and taken when running fsck in manual
mode. Corrupted cylinder groups found during preen mode cause the fsck
to fail.

Add the -r option to free up excess unused inodes. Decreasing the
number of preallocated inodes reduces the running time of future
runs of fsck and frees up space that can allocated to files. The -r
option is ignored when running in preen mode.

Reviewed by: Xin LI <delphij@>
Sponsored by: Rsync.net
2009-02-04 01:02:56 +00:00
David E. O'Brien
111a52201c Add the '-C' "check clean" flag. If the FS is marked clean, skip file
system checking.  However, if the file system is not clean, perform a
full fsck.

Reviewed by:	delphij
Obtained from:	Juniper Networks
2009-01-30 18:33:05 +00:00
Xin LI
7f94ca7233 Rename option 'C' to 'D' (damaged) in order to avoid a conflict with upcoming
Juniper 'C' (clean) flag.

Requested by:	obrien
MFC after:	1 week
2009-01-20 22:49:49 +00:00
David E. O'Brien
defc9d504b Garbage collect 'fflags'. 2008-12-24 03:07:19 +00:00
Craig Rodrigues
6910e995d9 Instead of passing MNT_UPDATE, MNT_SNAPSHOT, MNT_RELOAD from
userspace to kernel via nmount(), pass in the strings
"update", "snapshot", "reload".

We want to move away from passing MNT_ flags from userspace -> kernel
via nmount(), and instead favor passing the string options.
2008-08-23 01:21:10 +00:00
Stanislav Sedov
4f38796595 - Display '-C' option in usage().
Approved by:	kib
2008-06-08 19:48:41 +00:00
Xin LI
14320f1e7f Add a new flag, '-C' which enables a special mode that is intended for
catastrophic recovery.  Currently, this mode only validates whether a
cylindergroup has good signature data, and prompts the user to decide
whether to clear it as a whole.

This mode is useful when there is data damage on a disk and you are
working on copy of the original disk, as fsck_ffs(8) tends to abnormally
exit in such case, as a last resort to recover data from the disk.
2008-04-10 23:49:23 +00:00
Craig Rodrigues
205e074f2c Add comment about specifying "ro" mount option when
doing an update mount on a read-only file system.

Requested by:	yar
2008-04-04 01:50:58 +00:00
Craig Rodrigues
d8f7b008a7 For a mounted file system which is read-only, when
doing the MNT_RELOAD, pass in "ro" and "update"
string mount options to nmount() instead of MNT_RDONLY and MNT_UPDATE flags.

Due to the complexity of the mount parsing code especially
with respect to the root file system, passing in MNT_RDONLY and MNT_UPDATE
flags would do weird things and would cause fsck to convert the root
file system from a read-only mount to read-write.

To test:
 - boot into single user mode
 - show mounted file systems with: mount
 - root file system should be mounted read-only
 - fsck /
 - show mounted file systems with: mount
 - root file system should still be mounted read-only

PR:		120319
MFC after:	1 month
Reported by:	yar
2008-03-05 08:25:49 +00:00
Craig Rodrigues
22a122f315 Remove hacks to filter out MNT_ROOTFS, since we now
do that internally inside nmount() in revision 1.267 of vfs_mount.c.
2008-03-05 06:24:42 +00:00
Craig Rodrigues
24adb851f1 Convert fsck_ffs to nmount(). This seems to solve
an intermittent problem where MNT_RELOAD fails
for the root file system.

Reported and tested by: phk
Approved by:		re (bmah)
2007-09-19 01:24:19 +00:00
Pawel Jakub Dawidek
db3f838d97 Fix fscking gjournaled root file system: root file system is already mounted
read-only, so we can't simply exit right after calling gjournal_check(),
instead we need to ask about super block reload.

Submitted by:	Niki Denev <niki@totalterror.net>
PR:		misc/113889
Approved by:	re (kensmith)
2007-08-10 06:29:54 +00:00
Pawel Jakub Dawidek
aef8d2449b Implements gjournal support. If file system has gjournal support enabled
and -p flag was given perform fast file system checking (bascially only
garbage collecting of orphaned objects).

Rename bread() to blread() and bwrite() to blwrite() as we now link to
the libufs library, which also implement functions with that names.

Sponsored by:	home.pl
2006-10-31 22:06:56 +00:00
Ruslan Ermilov
8d646af581 Sync program's usage() with manpage's SYNOPSIS. 2005-02-10 09:19:34 +00:00
Poul-Henning Kamp
d90b3ef3c9 Do not pass random bits as mount arguments. 2004-12-12 11:04:52 +00:00
Don Lewis
af6726e657 Eliminate linked list used to track inodes with an initial link
count of zero and instead encode this information in the inode state.
Pass 4 performed a linear search of this list for each inode in
the file system, which performs poorly if the list is long.

Reviewed by:    sam & keramida (an earlier version of the patch), mckusick
MFC after:	1 month
2004-10-08 20:44:47 +00:00
Mark Murray
4c723140a4 Remove advertising clause from University of California Regent's license,
per letter dated July 22, 1999.

Approved by: core, imp
2004-04-09 19:58:40 +00:00
Scott Long
1660ae8795 In the case of a background fsck, periodically update the process title
with a progress update.
2004-02-28 07:50:42 +00:00
Kirk McKusick
ff76fc7f16 Create a .snap directory mode 770 group operator in the root of each
filesystem that is checked in background. Create the snapshot in this
directory rather than in the root. There are two benefits:

1) For terabyte-sized filesystems, the snapshot may require many
   minutes to build. Although the filesystem will not be suspended
   during most of the snapshot build, the snapshot file itself is
   locked during the entire snapshot build period. Thus, if it is
   accessed during the period that it is being built, the process
   trying to access it will block holding its containing directory
   locked. If the snapshot is in the root, the root will lock and
   the system will come to a halt until the snapshot finishes. By
   putting the snapshot in a subdirectory, it is out of the likely
   path of any process traversing through the root and hence much
   less likely to cause a lock race to the root.

2) The dump program is usually run by a non-root user running with
   operator group privilege. Such a user is typically not permitted
   to create files in the root of a filesystem. By having a directory
   in group operator with group write access available, such a user
   will be able to create a snapshot there. Having the dump program
   create its snapshot in a subdirectory below the root will benefit
   from point (1) as well.

Sponsored by:   DARPA & NAI Labs.
2003-10-08 02:14:03 +00:00
Ruslan Ermilov
e4e0776408 Spell "file system" correctly. 2003-08-01 11:31:19 +00:00
David E. O'Brien
c69284ca08 Use __FBSDID() to quiet GCC 3.3 warnings. 2003-05-03 18:41:59 +00:00