Date: Tue, 3 Apr 2007 17:44:03 +0200 (CEST) From: Thomas Quinot <thomas@cuivre.fr.eu.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/111191: dump(8) stack corruption Message-ID: <20070403154403.C39375C1F0@melamine.cuivre.fr.eu.org> Resent-Message-ID: <200704031550.l33Fo3dL082102@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 111191 >Category: bin >Synopsis: dump(8) stack corruption >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Apr 03 15:50:03 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Thomas Quinot >Release: FreeBSD 6.2-STABLE i386 >Organization: >Environment: System: FreeBSD melamine.cuivre.fr.eu.org 6.2-STABLE FreeBSD 6.2-STABLE #0: Sun Mar 18 12:49:35 CET 2007 thomas@melamine.cuivre.fr.eu.org:/space/build/obj/space/build/src/RELENG_6/sys/SMP i386 >Description: Under some circumstances, the bread function in dump(8) can corrupt the dump process's stack, possibly resulting in an infinite loop. Specifically, if bread is called to read a chunk of data entirely contained within a block (i.e. base > 0 and resid > 0 and base + size < secsize), then xfer is miscomputed as secsize - base, and more data is written to the buffer than it can hold. >How-To-Repeat: Probably depends on specific filesystem structure, I encountered this situation on an UFS1 FS with the following properties: magic 11954 (UFS1) time Tue Apr 3 17:38:58 2007 id [ 3d628b58 6f35d1ae ] ncg 456 size 22447680 blocks 22402990 bsize 16384 shift 14 mask 0xffffc000 fsize 16384 shift 14 mask 0xffffc000 frag 1 shift 0 fsbtodb 5 minfree 8% optim time symlinklen 60 maxbpg 4096 maxcontig 7 contigsumsize 7 nbfree 4609027 ndir 238205 nifree 2822093 nffree 0 cpg 385 bpg 49280 fpg 49280 ipg 12288 nindir 4096 inopb 128 nspf 32 maxfilesize 1126174852055039sbsize 8192 cgsize 16384 cgoffset 128 cgmask 0xffffffff csaddr 99 cssize 16384 rotdelay 0ms rps 60 trackskew 0 interleave 1 nsect 4096 npsect 4096 spc 4096 sblkno 1 cblkno 2 iblkno 3 dblkno 99 cgrotor 381 fmod 0 ronly 0 clean 0 avgfpdir 64 avgfilesize 16384 flags soft-updates fsmnt /raid volname swuid 0 >Fix: Index: traverse.c =================================================================== RCS file: /space/mirror/ncvs/src/sbin/dump/traverse.c,v retrieving revision 1.36.2.1 diff -u -r1.36.2.1 traverse.c --- traverse.c 2 May 2006 19:08:36 -0000 1.36.2.1 +++ traverse.c 3 Apr 2007 15:31:33 -0000 @@ -777,7 +777,7 @@ cnt = cread(diskfd, tmpbuf, secsize, offset - base); if (cnt != secsize) goto bad; - xfer = secsize - base; + xfer = MIN(secsize - base, size); offset += xfer; bytes -= xfer; resid = bytes % secsize; >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070403154403.C39375C1F0>