fix out of partition/memory bounds access when accessing blocks at the tail

end; avoids bad address errors; original diff by me with cleanup by
millert@; ok millert@

3 files changed, 15 insertions, 11 deletions

diff --git a/sys/ufs/mfs/mfs_extern.h b/sys/ufs/mfs/mfs_extern.h
index acd5b0aae35..28655834bff 100644
--- a/sys/ufs/mfs/mfs_extern.h
+++ b/sys/ufs/mfs/mfs_extern.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mfs_extern.h,v 1.13 2007/11/28 19:31:31 millert Exp $	*/
+/*	$OpenBSD: mfs_extern.h,v 1.14 2007/12/04 19:32:13 otto Exp $	*/
 /*	$NetBSD: mfs_extern.h,v 1.4 1996/02/09 22:31:27 christos Exp $	*/
 
 /*-
@@ -41,6 +41,7 @@ struct ucred;
 struct vnode;
 struct vfsconf;
 struct mbuf;
+struct mfsnode;
 
 __BEGIN_DECLS
 /* mfs_vfsops.c */
@@ -55,7 +56,7 @@ int mfs_checkexp(struct mount *, struct mbuf *, int *, struct ucred **);
 int mfs_open(void *);
 int mfs_ioctl(void *);
 int mfs_strategy(void *);
-void mfs_doio(struct buf *, caddr_t);
+void mfs_doio(struct mfsnode *, struct buf *);
 int mfs_bmap(void *);
 int mfs_close(void *);
 int mfs_inactive(void *);
diff --git a/sys/ufs/mfs/mfs_vfsops.c b/sys/ufs/mfs/mfs_vfsops.c
index 400bfa4a0c5..6264f1a0aef 100644
--- a/sys/ufs/mfs/mfs_vfsops.c
+++ b/sys/ufs/mfs/mfs_vfsops.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mfs_vfsops.c,v 1.36 2007/11/28 19:31:31 millert Exp $	*/
+/*	$OpenBSD: mfs_vfsops.c,v 1.37 2007/12/04 19:32:13 otto Exp $	*/
 /*	$NetBSD: mfs_vfsops.c,v 1.10 1996/02/09 22:31:28 christos Exp $	*/
 
 /*
@@ -172,14 +172,12 @@ mfs_start(struct mount *mp, int flags, struct proc *p)
 	struct vnode *vp = VFSTOUFS(mp)->um_devvp;
 	struct mfsnode *mfsp = VTOMFS(vp);
 	struct buf *bp;
-	caddr_t base;
 	int sleepreturn = 0;
 
-	base = mfsp->mfs_baseoff;
 	while (mfsp->mfs_buflist != (struct buf *)-1) {
 		while ((bp = mfsp->mfs_buflist) != NULL) {
 			mfsp->mfs_buflist = bp->b_actf;
-			mfs_doio(bp, base);
+			mfs_doio(mfsp, bp);
 			wakeup((caddr_t)bp);
 		}
 		/*
diff --git a/sys/ufs/mfs/mfs_vnops.c b/sys/ufs/mfs/mfs_vnops.c
index d9bb8465cd7..1a28d53a378 100644
--- a/sys/ufs/mfs/mfs_vnops.c
+++ b/sys/ufs/mfs/mfs_vnops.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mfs_vnops.c,v 1.29 2007/11/28 19:31:31 millert Exp $	*/
+/*	$OpenBSD: mfs_vnops.c,v 1.30 2007/12/04 19:32:13 otto Exp $	*/
 /*	$NetBSD: mfs_vnops.c,v 1.8 1996/03/17 02:16:32 christos Exp $	*/
 
 /*
@@ -146,7 +146,7 @@ mfs_strategy(void *v)
 
 	mfsp = VTOMFS(vp);
 	if (p != NULL && mfsp->mfs_pid == p->p_pid) {
-		mfs_doio(bp, mfsp->mfs_baseoff);
+		mfs_doio(mfsp, bp);
 	} else {
 		bp->b_actf = mfsp->mfs_buflist;
 		mfsp->mfs_buflist = bp;
@@ -161,11 +161,16 @@ mfs_strategy(void *v)
  * Trivial on the HP since buffer has already been mapped into KVA space.
  */
 void
-mfs_doio(struct buf *bp, caddr_t base)
+mfs_doio(struct mfsnode *mfsp, struct buf *bp)
 {
+	caddr_t base;
+	long offset = bp->b_blkno << DEV_BSHIFT;
 	int s;
 
-	base += (bp->b_blkno << DEV_BSHIFT);
+	if (bp->b_bcount > mfsp->mfs_size - offset)
+		bp->b_bcount = mfsp->mfs_size - offset;
+
+	base = mfsp->mfs_baseoff + offset;
 	if (bp->b_flags & B_READ)
 		bp->b_error = copyin(base, bp->b_data, bp->b_bcount);
 	else
@@ -215,7 +220,7 @@ mfs_close(void *v)
 	 */
 	while ((bp = mfsp->mfs_buflist) != NULL) {
 		mfsp->mfs_buflist = bp->b_actf;
-		mfs_doio(bp, mfsp->mfs_baseoff);
+		mfs_doio(mfsp, bp);
 		wakeup((caddr_t)bp);
 	}
 	/*