NetBSD Problem Report #31565
From wgstuken@s012.nagler-company.com Wed Oct 12 10:09:08 2005
Return-Path: <wgstuken@s012.nagler-company.com>
Received: from s012.nagler-company.com (s012.nagler-company.com [212.222.97.133])
by narn.netbsd.org (Postfix) with ESMTP id 7EA4C63B878
for <gnats-bugs@gnats.NetBSD.org>; Wed, 12 Oct 2005 10:09:07 +0000 (UTC)
Message-Id: <200510121009.j9CA95QO023159@s012.nagler-company.com>
Date: Wed, 12 Oct 2005 12:09:05 +0200 (CEST)
From: Wolfgang Stukenbrock <wgstuken@s012.nagler-company.com>
Reply-To: wgstuken@s012.nagler-company.com
To: gnats-bugs@netbsd.org
Subject: disk-bounds check may lose if requested transfer is very big or secsize is not DEV_BSIZE
X-Send-Pr-Version: 3.95
>Number: 31565
>Category: kern
>Synopsis: disk-bounds check may lose if requested transfer is very big or secsize is not DEV_BSIZE
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Oct 12 10:10:01 +0000 2005
>Closed-Date: Sat Nov 28 22:39:24 +0000 2009
>Last-Modified: Sat Nov 28 22:40:01 +0000 2009
>Originator: Wolfgang Stukenbrock
>Release: NetBSD 2.0.2
>Organization:
Dr. Nagler & Company GmbH
>Environment:
System: NetBSD s012 2.0_RC5 NetBSD 2.0_RC5 (S012) #6: Tue Nov 30 11:38:39 CET 2004 wgstuken@s012:/export/netbsd-2.0rc4/src/sys/arch/i386/compile/S012 i386
Architecture: i386
Machine: i386
>Description:
In file sys/kern/subr_disks.c in the routine bounds_check_with_mediasize()
the local variable used for blocknumber calculation is only of type int.
But the Blocknumber and Blockcounts are int64. This may lead to problems if
very large transfer requests beyond the end of the disk are issued.
A second problem may be the shift constant DEV_BSHIFT used in this routine
when truncating the last request. The parameter secsize should be used here,
because secsize is used before and if secsize != (1 << DEV_BSHIFT) than a
wrong b_count will result here!.
>How-To-Repeat:
I've found this in the source code while searching for an other problem with
diskio at physical block 0x0fffffff.
>Fix:
change size of the local variable sz to daddr_t (or an equivalent 64 bit
type) and replace the shift by a multiply with secsize.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: dsl@NetBSD.org
State-Changed-When: Sat, 28 Nov 2009 22:39:24 +0000
State-Changed-Why:
'sz' was changed to int64_t some time ago.
I've just replaced the shift by a multiple by 'secsize'.
From: David Laight <dsl@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/31565 CVS commit: src/sys/kern
Date: Sat, 28 Nov 2009 22:38:07 +0000
Module Name: src
Committed By: dsl
Date: Sat Nov 28 22:38:07 UTC 2009
Modified Files:
src/sys/kern: subr_disk.c
Log Message:
When truncating a request in bounds_check_with_mediasize() multiply
by the provided sector size instead of 512.
Fixes last bit of PR/31565
To generate a diff of this commit:
cvs rdiff -u -r1.98 -r1.99 src/sys/kern/subr_disk.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.