Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp10555833ybl; Thu, 26 Dec 2019 20:50:07 -0800 (PST) X-Google-Smtp-Source: APXvYqyaE80Gm/U4tfvSjq8F264OUhnxe2DzVaspvD8Hzuv7GVnPlvxBK/2BJW7SYqmsjklf1cXr X-Received: by 2002:a9d:7cd9:: with SMTP id r25mr51139857otn.326.1577422206759; Thu, 26 Dec 2019 20:50:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1577422206; cv=none; d=google.com; s=arc-20160816; b=Owtmz/cdL3xB3liQQjnHOJWw6wGq2q0j+Dwy3cCIx1YWcjM0gGh4oBqVGtw7aO9awn A3uSS/8aaGsdzP9jqdF1+JgXSRWENrKrcfObMnK9KRknG+ACHxbgrXD3aDKYYm03BDTh P0qM2SEjVV3qgEEqcxiuKoGx4TZKF/rOMkju9GnJRY84rbKGJEN3cN8JTHfC+jjIkxfr QluX/Hed144f3wA6o/OqTafl9ZB3lYEA2q80p+Ipr4eTLCwyrcKYQ8QRshrqH1M8xoMV pclpbUuf/YULQFzJkgUp+hIBBdcHdXb+muwsUNTuD0fsovXkCEwdfVay4qxMethGCdNH cbKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=ZLw+EnofKC32alg5tsYrTabYb88/pGAk6IqjM1vsc8w=; b=Vpf96xaMuid7su16l1REi1SH7E4GTSk9ILscZ9woiWRbIZhNBYdLrLmJkkf7tOy+hB ForrGwhnb9srYmC1EKMD7Au4P0uoG/58KY/jMhJnV6vCS1TRVY2ttrA0eL01n3T3s+ye NCPtxsIbGLPOK9COSgzM4+q13NfmGs6Fmp0aoYYrGCGa81JcN8ej/z8KHKo4w0xLExsb eM8Jpw1JdWpdyFCkk7OS19p+OGidt/3wVoB51cImvqXf7E20u81wDzmFZzp/44s2u9pD YBltE8+qVv50JQaqfr6oeaVblMcypEdNHb3TvndcBX07A3jblNDh/10otAj/lCnwkFJC uJ/Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m24si7873884oic.11.2019.12.26.20.49.42; Thu, 26 Dec 2019 20:50:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727050AbfL0Etl (ORCPT + 99 others); Thu, 26 Dec 2019 23:49:41 -0500 Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:38854 "EHLO outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727028AbfL0Etl (ORCPT ); Thu, 26 Dec 2019 23:49:41 -0500 Received: from callcc.thunk.org (96-72-84-49-static.hfc.comcastbusiness.net [96.72.84.49] (may be forged)) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id xBR4naXO004572 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 26 Dec 2019 23:49:37 -0500 Received: by callcc.thunk.org (Postfix, from userid 15806) id 17E34420485; Thu, 26 Dec 2019 23:49:36 -0500 (EST) Date: Thu, 26 Dec 2019 23:49:36 -0500 From: "Theodore Y. Ts'o" To: Anatoly Pugachev Cc: linux-ext4@vger.kernel.org Subject: Re: e2fsprogs.git dumpe2fs / mke2fs sigserv on sparc64 Message-ID: <20191227044936.GB70060@mit.edu> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Wed, Dec 18, 2019 at 03:01:03AM +0300, Anatoly Pugachev wrote: > On Tue, Dec 17, 2019 at 9:01 PM Anatoly Pugachev wrote: > > > > Getting current git e2fsprogs of dumpe2fs/mke2fs (and probably others) > > segfaults (via make check) with the following backtrace... Hi, Thanks for reporting this bug. It should be fixed with this commit: commit c9a8c53b17ccc4543509d55ff3b343ddbfe805e5 Author: Theodore Ts'o Date: Thu Dec 26 23:19:54 2019 -0500 libext2fs: fix crash in ext2fs_open2() on Big Endian systems Commit e6069a05: ("Teach ext2fs_open2() to honor the EXT2_FLAG_SUPER_ONLY flag") changed how the function ext2fs_group_desc() handled a request for a gdp pointer for a group larger than the number of groups in the file system; it now returns NULL, instead of returning a pointer beyond the end of the array. Previously, the ext2fs_open2() function would swap all of the block group descriptors in a block, even if they are beyond the end of the file system. This was OK, since we were not overrunning the allocated memory, since it was rounded to a block boundary. But now that ext2fs_group_desc() would return NULL for those gdp, it would cause ext2fs_open2(), when it was byte swapping the block group descriptors on Big Endian systems, to dereference a null pointer and crash. This commit adds a NULL pointer check to avoid byte swapping those block group descriptors in a bg descriptor block, but which are beyond the end of the file system, to address this crash. Signed-off-by: Theodore Ts'o Reported-by: Anatoly Pugachev diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c index ec2d6cb4..3331452d 100644 --- a/lib/ext2fs/openfs.c +++ b/lib/ext2fs/openfs.c @@ -435,7 +435,8 @@ errcode_t ext2fs_open2(const char *name, const char *io_options, gdp = (struct ext2_group_desc *) dest; for (j=0; j < groups_per_block*first_meta_bg; j++) { gdp = ext2fs_group_desc(fs, fs->group_desc, j); - ext2fs_swap_group_desc2(fs, gdp); + if (gdp) + ext2fs_swap_group_desc2(fs, gdp); } #endif dest += fs->blocksize*first_meta_bg; @@ -455,7 +456,8 @@ errcode_t ext2fs_open2(const char *name, const char *io_options, for (j=0; j < groups_per_block; j++) { gdp = ext2fs_group_desc(fs, fs->group_desc, i * groups_per_block + j); - ext2fs_swap_group_desc2(fs, gdp); + if (gdp) + ext2fs_swap_group_desc2(fs, gdp); } #endif dest += fs->blocksize;