On Wed, Dec 18, 2019 at 03:01:03AM +0300, Anatoly Pugachev wrote:
> On Tue, Dec 17, 2019 at 9:01 PM Anatoly Pugachev <[email protected]> wrote:
> >
> > Getting current git e2fsprogs of dumpe2fs/mke2fs (and probably others)
> > segfaults (via make check) with the following backtrace...
Hi,
Thanks for reporting this bug. It should be fixed with this commit:
commit c9a8c53b17ccc4543509d55ff3b343ddbfe805e5
Author: Theodore Ts'o <[email protected]>
Date: Thu Dec 26 23:19:54 2019 -0500
libext2fs: fix crash in ext2fs_open2() on Big Endian systems
Commit e6069a05: ("Teach ext2fs_open2() to honor the
EXT2_FLAG_SUPER_ONLY flag") changed how the function
ext2fs_group_desc() handled a request for a gdp pointer for a group
larger than the number of groups in the file system; it now returns
NULL, instead of returning a pointer beyond the end of the array.
Previously, the ext2fs_open2() function would swap all of the block
group descriptors in a block, even if they are beyond the end of the
file system. This was OK, since we were not overrunning the allocated
memory, since it was rounded to a block boundary. But now that
ext2fs_group_desc() would return NULL for those gdp, it would cause
ext2fs_open2(), when it was byte swapping the block group descriptors
on Big Endian systems, to dereference a null pointer and crash.
This commit adds a NULL pointer check to avoid byte swapping those
block group descriptors in a bg descriptor block, but which are beyond
the end of the file system, to address this crash.
Signed-off-by: Theodore Ts'o <[email protected]>
Reported-by: Anatoly Pugachev <[email protected]>
diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c
index ec2d6cb4..3331452d 100644
--- a/lib/ext2fs/openfs.c
+++ b/lib/ext2fs/openfs.c
@@ -435,7 +435,8 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
gdp = (struct ext2_group_desc *) dest;
for (j=0; j < groups_per_block*first_meta_bg; j++) {
gdp = ext2fs_group_desc(fs, fs->group_desc, j);
- ext2fs_swap_group_desc2(fs, gdp);
+ if (gdp)
+ ext2fs_swap_group_desc2(fs, gdp);
}
#endif
dest += fs->blocksize*first_meta_bg;
@@ -455,7 +456,8 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
for (j=0; j < groups_per_block; j++) {
gdp = ext2fs_group_desc(fs, fs->group_desc,
i * groups_per_block + j);
- ext2fs_swap_group_desc2(fs, gdp);
+ if (gdp)
+ ext2fs_swap_group_desc2(fs, gdp);
}
#endif
dest += fs->blocksize;
On Fri, Dec 27, 2019 at 7:49 AM Theodore Y. Ts'o <[email protected]> wrote:
>
> On Wed, Dec 18, 2019 at 03:01:03AM +0300, Anatoly Pugachev wrote:
> > On Tue, Dec 17, 2019 at 9:01 PM Anatoly Pugachev <[email protected]> wrote:
> > >
> > > Getting current git e2fsprogs of dumpe2fs/mke2fs (and probably others)
> > > segfaults (via make check) with the following backtrace...
>
> Hi,
>
> Thanks for reporting this bug. It should be fixed with this commit:
>
> commit c9a8c53b17ccc4543509d55ff3b343ddbfe805e5
Theodore, thanks.
This patch fixes issue with all e2fsprogs test suite.
PS: there's another one which is failed:
366 tests succeeded 1 tests failed
i_bitmaps: e2image bitmap read/write test: failed
e2fsprogs.git$ git desc
v1.45.4-57-g523219f2
$ cd e2fsprogs.git/tests/i_bitmaps
e2fsprogs.git/tests/i_bitmaps$ ulimit -c unlimited
e2fsprogs.git/tests/i_bitmaps$ ../../misc/e2image /tmp/image /tmp/image.e2i
e2image 1.46-WIP (09-Oct-2019)
Segmentation fault (core dumped)
e2fsprogs.git/tests/i_bitmaps$ gdb -q ../../misc/e2image
Reading symbols from ../../misc/e2image...
(gdb) set args /tmp/image /tmp/image.e2i
(gdb) run
Starting program: e2fsprogs.git/misc/e2image /tmp/image /tmp/image.e2i
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/sparc64-linux-gnu/libthread_db.so.1".
e2image 1.46-WIP (09-Oct-2019)
Program received signal SIGSEGV, Segmentation fault.
ext2fs_swap_group_desc2 (fs=0x10000148a90, gdp=0x0) at swapfs.c:145
145 gdp->bg_block_bitmap = ext2fs_swab32(gdp->bg_block_bitmap);
(gdb) br
Breakpoint 1 at 0x1000001bb10: file swapfs.c, line 145.
(gdb) p gdp
$1 = (struct ext2_group_desc *) 0x0
(gdb)
On Sat, Dec 28, 2019 at 8:17 PM Anatoly Pugachev <[email protected]> wrote:
>
> On Fri, Dec 27, 2019 at 7:49 AM Theodore Y. Ts'o <[email protected]> wrote:
> >
> > On Wed, Dec 18, 2019 at 03:01:03AM +0300, Anatoly Pugachev wrote:
> > > On Tue, Dec 17, 2019 at 9:01 PM Anatoly Pugachev <[email protected]> wrote:
> > > >
> > > > Getting current git e2fsprogs of dumpe2fs/mke2fs (and probably others)
> > > > segfaults (via make check) with the following backtrace...
> >
> > Hi,
> >
> > Thanks for reporting this bug. It should be fixed with this commit:
> >
> > commit c9a8c53b17ccc4543509d55ff3b343ddbfe805e5
>
> Theodore, thanks.
> This patch fixes issue with all e2fsprogs test suite.
>
> PS: there's another one which is failed:
> 366 tests succeeded 1 tests failed
>
> i_bitmaps: e2image bitmap read/write test: failed
>
>
> e2fsprogs.git$ git desc
> v1.45.4-57-g523219f2
>
> $ cd e2fsprogs.git/tests/i_bitmaps
>
> e2fsprogs.git/tests/i_bitmaps$ ulimit -c unlimited
>
> e2fsprogs.git/tests/i_bitmaps$ ../../misc/e2image /tmp/image /tmp/image.e2i
> e2image 1.46-WIP (09-Oct-2019)
> Segmentation fault (core dumped)
>
> e2fsprogs.git/tests/i_bitmaps$ gdb -q ../../misc/e2image
> Reading symbols from ../../misc/e2image...
> (gdb) set args /tmp/image /tmp/image.e2i
> (gdb) run
> Starting program: e2fsprogs.git/misc/e2image /tmp/image /tmp/image.e2i
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/sparc64-linux-gnu/libthread_db.so.1".
> e2image 1.46-WIP (09-Oct-2019)
>
> Program received signal SIGSEGV, Segmentation fault.
> ext2fs_swap_group_desc2 (fs=0x10000148a90, gdp=0x0) at swapfs.c:145
> 145 gdp->bg_block_bitmap = ext2fs_swab32(gdp->bg_block_bitmap);
> (gdb) br
> Breakpoint 1 at 0x1000001bb10: file swapfs.c, line 145.
this was meant to be bt (backtrace), not br (brakepoint):
Program received signal SIGSEGV, Segmentation fault.
ext2fs_swap_group_desc2 (fs=0x10000148a90, gdp=0x0) at swapfs.c:145
145 gdp->bg_block_bitmap = ext2fs_swab32(gdp->bg_block_bitmap);
(gdb) bt
#0 ext2fs_swap_group_desc2 (fs=0x10000148a90, gdp=0x0) at swapfs.c:145
#1 0x00000100000080fc in ext2fs_image_super_write (fs=0x10000148a90,
fd=<optimized out>, flags=<optimized out>) at imager.c:248
#2 0x0000010000004cc8 in write_image_file (fd=<optimized out>,
fs=<optimized out>) at e2image.c:245
#3 main (argc=<optimized out>, argv=<optimized out>) at e2image.c:1717
(gdb)