Hi,
there is a potential off by one in function fillinusemap() leading to
possible out of boundary access (32 bytes after allocated area).
pmp->pm_inusemap is allocated in msdosfs_vfsops.c like this:
bmapsiz = (pmp->pm_maxcluster + N_INUSEBITS - 1) / N_INUSEBITS;
pmp->pm_inusemap = malloc(bmapsiz * sizeof(*pmp->pm_inusemap),
M_MSDOSFSFAT, M_WAITOK | M_CANFAIL);
and accessed in msdosfs_fat.c like this:
for (cn = 0; cn < (pmp->pm_maxcluster + N_INUSEBITS) / N_INUSEBITS; cn++)
Assignment of bmapsiz and for-condition should be equal, and actually
resemble a resolved version of howmany macro (hint to my howmany mail ;)).
Unfortunately "- 1" is missing in for-loop. This _can_ lead to out of
boundary access, depending on actual pmp->pm_maxcluster value.
Tobias
Index: msdosfs_fat.c
===================================================================
RCS file: /cvs/src/sys/msdosfs/msdosfs_fat.c,v
retrieving revision 1.24
diff -u -p -r1.24 msdosfs_fat.c
--- msdosfs_fat.c 11 Jun 2013 16:42:16 -0000 1.24
+++ msdosfs_fat.c 16 Jun 2014 21:54:43 -0000
@@ -866,7 +866,7 @@ fillinusemap(struct msdosfsmount *pmp)
* Mark all clusters in use, we mark the free ones in the fat scan
* loop further down.
*/
- for (cn = 0; cn < (pmp->pm_maxcluster + N_INUSEBITS) / N_INUSEBITS;
cn++)
+ for (cn = 0; cn < (pmp->pm_maxcluster + N_INUSEBITS - 1) / N_INUSEBITS;
cn++)
pmp->pm_inusemap[cn] = (u_int)-1;
/*
