[LU-10205] e2fsck: buffer overflow in ext2fs_expand_extra_isize

Tue, 23 Jan 2018 14:18:18 +0000

During the self-tests at the end of building e2fsprogs, I encountered:

[ 188s] ./run_e2fsck: line 54: 16540 Aborted (core dumped) $FSCK $FSCK_OPT -N test_filesys $TMPFILE > $OUT1.new 2>&1
[...]
[ 188s] +*** Error in `../e2fsck/e2fsck': free(): invalid pointer: 0x0000000000def960 ***
[ 188s] +======= Backtrace: =========
[ 188s] +/lib64/libc.so.6(+0x721af)[0x7fdbd7c871af]
[ 188s] +/lib64/libc.so.6(+0x779d6)[0x7fdbd7c8c9d6]
[ 188s] +../lib/libext2fs.so.2(ext2fs_expand_extra_isize+0x4e4)[0x7fdbd88395f4]
[ 188s] +../e2fsck/e2fsck(e2fsck_pass1_expand_eisize+0x41)[0x412641]
[ 188s] +../e2fsck/e2fsck(e2fsck_pass1+0x1d18)[0x417008]
[ 188s] +../e2fsck/e2fsck(e2fsck_run+0x52)[0x40f942]
[ 188s] +../e2fsck/e2fsck(main+0xc34)[0x40b654]
[ 188s] +/lib64/libc.so.6(__libc_start_main+0xf5)[0x7fdbd7c356e5]
[ 188s] +../e2fsck/e2fsck(_start+0x29)[0x40d419]
[ 188s] +======= Memory map: ========
[ 188s] +00400000-0043d000 r-xp 00000000 fd:00 330140 /home/abuild/rpmbuild/BUILD/e2fsprogs-1.42.13/e2fsck/e2fsck
[ 188s] +0063c000-0063d000 r--p 0003c000 fd:00 330140 /home/abuild/rpmbuild/BUILD/e2fsprogs-1.42.13/e2fsck/e2fsck
[ 188s] +0063d000-00642000 rw-p 0003d000 fd:00 330140 /home/abuild/rpmbuild/BUILD/e2fsprogs-1.42.13/e2fsck/e2fsck
[ 188s] +00dcd000-00e10000 rw-p 00000000 00:00 0 [heap]
[ 188s] +7fdbd77dd000-7fdbd77f3000 r-xp 00000000 fd:00 409738 /lib64/libgcc_s.so.1
[ 188s] +7fdbd77f3000-7fdbd79f2000 ---p 00016000 fd:00 409738 /lib64/libgcc_s.so.1
[ 188s] +7fdbd79f2000-7fdbd79f3000 r--p 00015000 fd:00 409738 /lib64/libgcc_s.so.1
[ 188s] +7fdbd79f3000-7fdbd79f4000 rw-p 00016000 fd:00 409738 /lib64/libgcc_s.so.1
[ 188s] +7fdbd79f5000-7fdbd7a0d000 r-xp 00000000 fd:00 409639 /lib64/libpthread-2.22.so
[ 188s] +7fdbd7a0d000-7fdbd7c0c000 ---p 00018000 fd:00 409639 /lib64/libpthread-2.22.so
[ 188s] +7fdbd7c0c000-7fdbd7c0d000 r--p 00017000 fd:00 409639 /lib64/libpthread-2.22.so
[ 188s] +7fdbd7c0d000-7fdbd7c0e000 rw-p 00018000 fd:00 409639 /lib64/libpthread-2.22.so
[ 188s] +7fdbd7c0e000-7fdbd7c12000 rw-p 00000000 00:00 0
[ 188s] +7fdbd7c15000-7fdbd7daf000 r-xp 00000000 fd:00 409609 /lib64/libc-2.22.so
[ 188s] +7fdbd7daf000-7fdbd7fae000 ---p 0019a000 fd:00 409609 /lib64/libc-2.22.so
[ 188s] +7fdbd7fae000-7fdbd7fb2000 r--p 00199000 fd:00 409609 /lib64/libc-2.22.so
[ 188s] +7fdbd7fb2000-7fdbd7fb4000 rw-p 0019d000 fd:00 409609 /lib64/libc-2.22.so
[ 188s] +7fdbd7fb4000-7fdbd7fb8000 rw-p 00000000 00:00 0
[ 188s] +7fdbd7fbd000-7fdbd7fc4000 r-xp 00000000 fd:00 329940 /home/abuild/rpmbuild/BUILD/e2fsprogs-1.42.13/lib/libe2p.so.2
[ 188s] +7fdbd7fc4000-7fdbd81c3000 ---p 00007000 fd:00 329940 /home/abuild/rpmbuild/BUILD/e2fsprogs-1.42.13/lib/libe2p.so.2
[ 188s] +7fdbd81c3000-7fdbd81c4000 r--p 00006000 fd:00 329940 /home/abuild/rpmbuild/BUILD/e2fsprogs-1.42.13/lib/libe2p.so.2
[ 188s] +7fdbd81c4000-7fdbd81c5000 rw-p 00007000 fd:00 329940 /home/abuild/rpmbuild/BUILD/e2fsprogs-1.42.13/lib/libe2p.so.2
[ 188s] +7fdbd81c5000-7fdbd81c9000 r-xp 00000000 fd:00 132015 /usr/lib64/libuuid.so.1.3.0
[ 188s] +7fdbd81c9000-7fdbd83c8000 ---p 00004000 fd:00 132015 /usr/lib64/libuuid.so.1.3.0
[ 188s] +7fdbd83c8000-7fdbd83c9000 r--p 00003000 fd:00 132015 /usr/lib64/libuuid.so.1.3.0
[ 188s] +7fdbd83c9000-7fdbd83ca000 rw-p 00004000 fd:00 132015 /usr/lib64/libuuid.so.1.3.0
[ 188s] +7fdbd83cd000-7fdbd840a000 r-xp 00000000 fd:00 132034 /usr/lib64/libblkid.so.1.1.0
[ 188s] +7fdbd840a000-7fdbd8609000 ---p 0003d000 fd:00 132034 /usr/lib64/libblkid.so.1.1.0
[ 188s] +7fdbd8609000-7fdbd860d000 r--p 0003c000 fd:00 132034 /usr/lib64/libblkid.so.1.1.0
[ 188s] +7fdbd860d000-7fdbd860e000 rw-p 00040000 fd:00 132034 /usr/lib64/libblkid.so.1.1.0
[ 188s] +7fdbd860e000-7fdbd860f000 rw-p 00000000 00:00 0
[ 188s] +7fdbd8615000-7fdbd8618000 r-xp 00000000 fd:00 329854 /home/abuild/rpmbuild/BUILD/e2fsprogs-1.42.13/lib/libcom_err.so.2
[ 188s] +7fdbd8618000-7fdbd8817000 ---p 00003000 fd:00 329854 /home/abuild/rpmbuild/BUILD/e2fsprogs-1.42.13/lib/libcom_err.so.2
[ 188s] +7fdbd8817000-7fdbd8818000 r--p 00002000 fd:00 329854 /home/abuild/rpmbuild/BUILD/e2fsprogs-1.42.13/lib/libcom_err.so.2
[ 188s] +7fdbd8818000-7fdbd8819000 rw-p 00003000 fd:00 329854 /home/abuild/rpmbuild/BUILD/e2fsprogs-1.42.13/lib/libcom_err.so.2
[ 188s] +7fdbd881d000-7fdbd8863000 r-xp 00000000 fd:00 330105 /home/abuild/rpmbuild/BUILD/e2fsprogs-1.42.13/lib/libext2fs.so.2
[ 188s] +7fdbd8863000-7fdbd8a63000 ---p 00046000 fd:00 330105 /home/abuild/rpmbuild/BUILD/e2fsprogs-1.42.13/lib/libext2fs.so.2
[ 188s] +7fdbd8a63000-7fdbd8a64000 r--p 00046000 fd:00 330105 /home/abuild/rpmbuild/BUILD/e2fsprogs-1.42.13/lib/libext2fs.so.2
[ 188s] +7fdbd8a64000-7fdbd8a66000 rw-p 00047000 fd:00 330105 /home/abuild/rpmbuild/BUILD/e2fsprogs-1.42.13/lib/libext2fs.so.2
[ 188s] +7fdbd8a6d000-7fdbd8a8e000 r-xp 00000000 fd:00 409725 /lib64/ld-2.22.so
[ 188s] +7fdbd8c83000-7fdbd8c85000 rw-p 00000000 00:00 0
[ 188s] +7fdbd8c8b000-7fdbd8c8d000 rw-p 00000000 00:00 0
[ 188s] +7fdbd8c8d000-7fdbd8c8e000 r--p 00020000 fd:00 409725 /lib64/ld-2.22.so
[ 188s] +7fdbd8c8e000-7fdbd8c8f000 rw-p 00021000 fd:00 409725 /lib64/ld-2.22.so
[ 188s] +7fdbd8c8f000-7fdbd8c91000 rw-p 00000000 00:00 0
[ 188s] +7fdbd8c91000-7fdbd8c94000 rw-p 00000000 00:00 0
[ 188s] +7fffecbf6000-7fffecc17000 rw-p 00000000 00:00 0 [stack]
[ 188s] +7fffeccbd000-7fffeccc0000 r--p 00000000 00:00 0 [vvar]
[ 188s] +7fffeccc0000-7fffeccc2000 r-xp 00000000 00:00 0 [vdso]
[ 188s] +ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
[ 188s] +Exit status is 134

I tracked this down to the memory allocation for the value of the extended attribute using entry->e_value_size and the memcpy using the rounded-up value of the same.

Whamcloud Community JIRA

[LU-10205] e2fsck: buffer overflow in ext2fs_expand_extra_isize