Remove 'cg_space' from 'struct cg'. Due to the alignment on 64-bit

architectures, CGSIZE() was returning something sligthly over one block.
The 'new' fsck would round this value up to a fragment boundary, and end
up trying to access memory beyond allocated space. From mickey@, okay
pedro@, millert@ and otto@.

3 files changed, 10 insertions, 13 deletions

diff --git a/sbin/fsck_ffs/pass5.c b/sbin/fsck_ffs/pass5.c
index 41c195e46f4..b954bcc7532 100644
--- a/sbin/fsck_ffs/pass5.c
+++ b/sbin/fsck_ffs/pass5.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pass5.c,v 1.28 2007/04/21 19:25:52 otto Exp $	*/
+/*	$OpenBSD: pass5.c,v 1.29 2007/04/23 10:18:30 pedro Exp $	*/
 /*	$NetBSD: pass5.c,v 1.16 1996/09/27 22:45:18 christos Exp $	*/
 
 /*
@@ -34,7 +34,7 @@
 #if 0
 static char sccsid[] = "@(#)pass5.c	8.6 (Berkeley) 11/30/94";
 #else
-static const char rcsid[] = "$OpenBSD: pass5.c,v 1.28 2007/04/21 19:25:52 otto Exp $";
+static const char rcsid[] = "$OpenBSD: pass5.c,v 1.29 2007/04/23 10:18:30 pedro Exp $";
 #endif
 #endif /* not lint */
 
@@ -138,11 +138,9 @@ pass5(void)
 
 	case FS_DYNAMICPOSTBLFMT:
 		if (sblock.fs_magic == FS_UFS2_MAGIC) {
-			newcg->cg_iusedoff = &newcg->cg_space[0] -
-			    (u_char *)(&newcg->cg_firstfield);
+			newcg->cg_iusedoff = sizeof(struct cg);
 		} else {
-			newcg->cg_btotoff = &newcg->cg_space[0] -
-			    (u_char *)(&newcg->cg_firstfield);
+			newcg->cg_btotoff = sizeof(struct cg);
 			newcg->cg_boff = newcg->cg_btotoff +
 			    fs->fs_cpg * sizeof(int32_t);
 			newcg->cg_iusedoff = newcg->cg_boff + fs->fs_cpg *
@@ -165,8 +163,7 @@ pass5(void)
 			    howmany(fs->fs_cpg * fs->fs_spc / NSPB(fs), NBBY);
 		}
 		newcg->cg_magic = CG_MAGIC;
-		basesize = &newcg->cg_space[0] -
-		    (u_char *)(&newcg->cg_firstfield);
+		basesize = sizeof(struct cg);
 		sumsize = newcg->cg_iusedoff - newcg->cg_btotoff;
 		mapsize = newcg->cg_nextfreeoff - newcg->cg_iusedoff;
 		break;
diff --git a/sbin/growfs/growfs.c b/sbin/growfs/growfs.c
index c82ffb1e70a..1d7ec8b243a 100644
--- a/sbin/growfs/growfs.c
+++ b/sbin/growfs/growfs.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: growfs.c,v 1.17 2007/03/19 13:27:47 pedro Exp $	*/
+/*	$OpenBSD: growfs.c,v 1.18 2007/04/23 10:18:30 pedro Exp $	*/
 /*
  * Copyright (c) 2000 Christoph Herrmann, Thomas-Henning von Kamptz
  * Copyright (c) 1980, 1989, 1993 The Regents of the University of California.
@@ -46,7 +46,7 @@ static const char copyright[] =
 Copyright (c) 1980, 1989, 1993 The Regents of the University of California.\n\
 All rights reserved.\n";
 
-static const char rcsid[] = "$OpenBSD: growfs.c,v 1.17 2007/03/19 13:27:47 pedro Exp $";
+static const char rcsid[] = "$OpenBSD: growfs.c,v 1.18 2007/04/23 10:18:30 pedro Exp $";
 #endif /* not lint */
 
 /* ********************************************************** INCLUDES ***** */
@@ -384,7 +384,7 @@ initcg(int cylno, time_t utime, int fso, unsigned int Nflag)
 	acg.cg_ndblk = dmax - cbase;
 	if (sblock.fs_contigsumsize > 0)
 		acg.cg_nclusterblks = acg.cg_ndblk / sblock.fs_frag;
-	acg.cg_btotoff = &acg.cg_space[0] - (u_char *)(&acg.cg_firstfield);
+	acg.cg_btotoff = sizeof(struct cg);
 	acg.cg_boff = acg.cg_btotoff + sblock.fs_cpg * sizeof(int32_t);
 	acg.cg_iusedoff = acg.cg_boff +
 	    sblock.fs_cpg * sblock.fs_nrpos * sizeof(u_int16_t);
diff --git a/sbin/newfs/mkfs.c b/sbin/newfs/mkfs.c
index 87bcf177729..900fb1a30a4 100644
--- a/sbin/newfs/mkfs.c
+++ b/sbin/newfs/mkfs.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mkfs.c,v 1.57 2007/04/18 14:13:31 otto Exp $	*/
+/*	$OpenBSD: mkfs.c,v 1.58 2007/04/23 10:18:30 pedro Exp $	*/
 /*	$NetBSD: mkfs.c,v 1.25 1995/06/18 21:35:38 cgd Exp $	*/
 
 /*
@@ -640,7 +640,7 @@ initcg(int cylno, time_t utime)
 	    sblock.fs_ipg : 2 * INOPB(&sblock);
 	acg.cg_ndblk = dmax - cbase;
 
-	start = &acg.cg_space[0] - (u_char *)(&acg.cg_firstfield);
+	start = sizeof(struct cg);
 	if (Oflag <= 1) {
 		/* Hack to maintain compatibility with old fsck. */
 		if (cylno == sblock.fs_ncg - 1)