From owner-freebsd-fs  Wed May 15  0:35:26 2002
Delivered-To: freebsd-fs@freebsd.org
Received: from nitrogen.wanadoo.fr (ca-ol-sqy-18-7.abo.wanadoo.fr [80.8.55.7])
	by hub.freebsd.org (Postfix) with ESMTP id 114DA37B401
	for <freebsd-fs@freebsd.org>; Wed, 15 May 2002 00:35:23 -0700 (PDT)
Received: from nitrogen.wanadoo.fr (nitrogen [127.0.0.1])
	by nitrogen.wanadoo.fr (8.12.3/8.12.3) with ESMTP id g4F7YAu5000906
	for <freebsd-fs@freebsd.org>; Wed, 15 May 2002 09:34:10 +0200 (CEST)
	(envelope-from dak@nitrogen.wanadoo.fr)
Received: (from dak@localhost)
	by nitrogen.wanadoo.fr (8.12.3/8.12.3/Submit) id g4F7YACh000905
	for freebsd-fs@freebsd.org; Wed, 15 May 2002 09:34:10 +0200 (CEST)
Date: Wed, 15 May 2002 09:34:10 +0200
From: dak <aurelien.nephtali@wanadoo.fr>
To: freebsd-fs@freebsd.org
Subject: [FS BUG] How to easily corrupt an UFS file system with user access and big fake files.
Message-ID: <20020515073410.GA634@nitrogen>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.99i
Sender: owner-freebsd-fs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-fs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-fs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-fs>
X-Loop: FreeBSD.org

Hi everybody,

I recently discovered a bug (probably in the FS functions) which allows a simple user to corrupt
a file system by making ultra large fake files (many GB).

The *attack/bug* is simple, just to create a file (with cache effect disabled or not), to write 1024*1440B,
lseek() to a very very fat offset, totally out of the file and then to write somes bytes: the result
is astonishing:

nitrogen% ls -l tmp
-rwx------  1 dak  wheel  1425637888 May 15 07:46 tmp

You can say it's not a problem, but the file is 1.5GB and I *only* lost 1MB on my disk...
When editing the file, no problem occurs and I can show datas at the very end of file.
Of course, when doing a fsck, it tells me the disk contains many errors.

I'm not a kernel developper and I'm not familiar with its functions :< so I cannot tell where
the problem occurs (but if you can tell me where and why it occurs, it would be nice :))

(I've attached a sample code, even if it's easy to reproduce)

-- dak

PS: I've not send a PR yet but if you think it's needed, I'll do it.
PS2: Sorry if my english isn't very good :)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-fs" in the body of the message