| Good Evening, I’m attaching a POC script that creates a MBR image that will then cause parted to crash. The reason for this crash is that `read_table()` in `libparted/labels/dos.c` recursively follows MS-DOS/MBR extended partition tables, but there is no recursion guard. To run the POC run: ```PARTED_BIN=/usr/sbin/parted ./poc.sh``` where your poc.sh file is in your current directory. The results of the crash are attached, as well as a suggested patch. With regards to priority, I’ve been scratching my head. It seems bad that an MBR partitiion could be crafted in such a way that an unassuming user runs it, parted crashes. On the other hand, if you’re running parted presumably you have a significant amount of knowledge. I’d therefore propose that it needs to be fixed as a correctness and defense in depth finding. Longer term the EBR traversal should be rewritten so as not to be recursive, BUT the attached patch will at least squash the bug as is. If you need any help please let me know, happy to try my hand at rewriting EBR traversal. Additionally, full disclosure, this bug was found as part of my project N184, an open source automated bug scanner. The repository can be found here: https://github.com/MillaFleurs/N184 Thank you! Dan |
patch.diff
Description: Binary data
poc.sh
Description: Binary data
## operation attempted /usr/sbin/parted ./parted-mbr-ebr-crash.img print unit s print unit chs print
## parted version parted (GNU parted) 3.6 Copyright (C) 2023 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Written by <http://git.debian.org/?p=parted/parted.git;a=blob_plain;f=AUTHORS>. ## diagnostic output WARNING: You are not superuser. Watch out for permissions. Model: (file) Disk /home/dan/parted-test/parted-mbr-ebr-crash.img: 20.5MB Sector size (logical/physical): 512B/512B Partition Table: msdos Disk Flags: Number Start End Size Type File system Flags 1 512B 20.5MB 20.5MB extended Model: (file) Disk /home/dan/parted-test/parted-mbr-ebr-crash.img: 40003s Sector size (logical/physical): 512B/512B Partition Table: msdos Disk Flags: Number Start End Size Type File system Flags 1 1s 40002s 40002s extended Model: (file) Disk /home/dan/parted-test/parted-mbr-ebr-crash.img: 312,2,2 Sector size (logical/physical): 512B/512B BIOS cylinder,head,sector geometry: 312,4,32. Each cylinder is 65.5kB. Partition Table: msdos Disk Flags: Number Start End Type File system Flags 1 0,0,1 312,2,2 extended exit_status=0
## date Sat 9 May 21:00:37 EDT 2026 ## uname Linux morty 6.12.75+rpt-rpi-2712 #1 SMP PREEMPT Debian 1:6.12.75-1+rpt1 (2026-03-11) aarch64 GNU/Linux ## parted version parted (GNU parted) 3.6 Copyright (C) 2023 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Written by <http://git.debian.org/?p=parted/parted.git;a=blob_plain;f=AUTHORS>. ## ulimit real-time non-blocking time (microseconds, -R) unlimited core file size (blocks, -c) unlimited data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 15891 max locked memory (kbytes, -l) 8192 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 15891 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited ## poc run created ./parted-mbr-ebr-crash.img image layout: raw MBR disk image, sector_size=512 mbr: LBA 0 contains one extended partition entry ebr chain: each non-final EBR contains only a next-EBR link depth=20000 sectors=40003 logical_partitions=0 image_size_bytes=20481536 Keeping image artifact: ./parted-mbr-ebr-crash.img Running: /usr/sbin/parted -s ./parted-mbr-ebr-crash.img unit s print Stack limit: 1024 KiB parted exit status: 139 stderr: timeout: the monitored command dumped core Segmentation fault BUG TRIGGERED: parted crashed while parsing the long EBR chain. ## coredumpctl list TIME PID UID GID SIG COREFILE EXE SIZE Sat 2026-05-09 20:56:44 EDT 15062 0 0 SIGSEGV inaccessible /usr/sbin/parted - Sat 2026-05-09 21:00:38 EDT 15103 1000 1000 SIGSEGV present /usr/sbin/parted 330.3K ## coredumpctl info PID: 15062 (parted) UID: 0 (root) GID: 0 (root) Signal: 11 (SEGV) Timestamp: Sat 2026-05-09 20:56:44 EDT (3min 54s ago) Command Line: /usr/sbin/parted -s ./parted-mbr-ebr-crash.img unit s print Executable: /usr/sbin/parted Control Group: /user.slice/user-1000.slice/[email protected]/tmux-spawn-79524e1f-be9e-4817-9761-9bdd7b89131e.scope Unit: [email protected] User Unit: tmux-spawn-79524e1f-be9e-4817-9761-9bdd7b89131e.scope Slice: user-1000.slice Owner UID: 1000 (dan) Boot ID: 2548a803aaae4c3890cb929c511fcafe Machine ID: d406f9049738481db323a0f14fefd7e8 Hostname: morty Storage: /var/lib/systemd/coredump/core.parted.0.2548a803aaae4c3890cb929c511fcafe.15062.1778374604000000.zst (inaccessible) Message: Process 15062 (parted) of user 0 dumped core. Module libudev.so.1 from deb systemd-257.9-1~deb13u1.arm64 Module libblkid.so.1 from deb util-linux-2.41-5.arm64 Module libuuid.so.1 from deb util-linux-2.41-5.arm64 Stack trace of thread 15062: #0 0x00007fffa166845c n/a (libparted.so.2 + 0x1845c) #1 0x00007fffa1669ad8 n/a (libparted.so.2 + 0x19ad8) #2 0x00007fffa1682bd0 ptt_read_sectors (libparted.so.2 + 0x32bd0) #3 0x00007fffa1678500 n/a (libparted.so.2 + 0x28500) #4 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #5 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #6 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #7 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #8 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #9 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #10 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #11 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #12 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #13 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #14 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #15 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #16 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #17 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #18 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #19 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #20 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #21 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #22 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #23 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #24 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #25 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #26 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #27 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #28 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #29 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #30 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #31 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #32 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #33 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #34 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #35 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #36 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #37 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #38 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #39 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #40 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #41 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #42 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #43 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #44 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #45 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #46 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #47 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #48 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #49 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #50 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #51 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #52 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #53 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #54 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #55 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #56 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #57 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #58 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #59 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #60 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #61 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #62 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) #63 0x00007fffa16787e0 n/a (libparted.so.2 + 0x287e0) ELF object binary architecture: AARCH64 PID: 15103 (parted) UID: 1000 (dan) GID: 1000 (dan) Signal: 11 (SEGV) Timestamp: Sat 2026-05-09 21:00:38 EDT (988ms ago) Command Line: /usr/sbin/parted -s ./parted-mbr-ebr-crash.img unit s print Executable: /usr/sbin/parted Control Group: /user.slice/user-1000.slice/[email protected]/tmux-spawn-79524e1f-be9e-4817-9761-9bdd7b89131e.scope Unit: [email protected] User Unit: tmux-spawn-79524e1f-be9e-4817-9761-9bdd7b89131e.scope Slice: user-1000.slice Owner UID: 1000 (dan) Boot ID: 2548a803aaae4c3890cb929c511fcafe Machine ID: d406f9049738481db323a0f14fefd7e8 Hostname: morty Storage: /var/lib/systemd/coredump/core.parted.1000.2548a803aaae4c3890cb929c511fcafe.15103.1778374838000000.zst (present) Size on Disk: 330.3K Message: Process 15103 (parted) of user 1000 dumped core. Module libudev.so.1 from deb systemd-257.9-1~deb13u1.arm64 Module libblkid.so.1 from deb util-linux-2.41-5.arm64 Module libuuid.so.1 from deb util-linux-2.41-5.arm64 Stack trace of thread 15103: #0 0x00007fff3707845c n/a (libparted.so.2 + 0x1845c) #1 0x00007fff37079ad8 n/a (libparted.so.2 + 0x19ad8) #2 0x00007fff37092bd0 ptt_read_sectors (libparted.so.2 + 0x32bd0) #3 0x00007fff37088500 n/a (libparted.so.2 + 0x28500) #4 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #5 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #6 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #7 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #8 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #9 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #10 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #11 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #12 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #13 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #14 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #15 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #16 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #17 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #18 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #19 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #20 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #21 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #22 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #23 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #24 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #25 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #26 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #27 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #28 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #29 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #30 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #31 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #32 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #33 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #34 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #35 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #36 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #37 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #38 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #39 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #40 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #41 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #42 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #43 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #44 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #45 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #46 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #47 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #48 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #49 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #50 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #51 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #52 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #53 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #54 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #55 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #56 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #57 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #58 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #59 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #60 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #61 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #62 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) #63 0x00007fff370887e0 n/a (libparted.so.2 + 0x287e0) ELF object binary architecture: AARCH64 ## dmesg [Wed May 6 11:25:51 2026] vc4_hvs 107c580000.hvs: bcm2712_iommu_probe_device: MMU 1000005200.iommu [Wed May 6 11:25:51 2026] vc4_hvs 107c580000.hvs: bcm2712_iommu_device_group: MMU 1000005200.iommu [Wed May 6 11:25:51 2026] vc4_hvs 107c580000.hvs: Adding to iommu group 1 [Wed May 6 11:25:51 2026] vc4_hvs 107c580000.hvs: bcm2712_iommu_attach_dev: MMU 1000005200.iommu [Wed May 6 11:25:51 2026] vc4-drm axi:gpu: bcm2712_iommu_of_xlate: MMU 1000005200.iommu [Wed May 6 11:25:51 2026] vc4-drm axi:gpu: bcm2712_iommu_probe_device: MMU 1000005200.iommu [Wed May 6 11:25:51 2026] vc4-drm axi:gpu: bcm2712_iommu_device_group: MMU 1000005200.iommu [Wed May 6 11:25:51 2026] vc4-drm axi:gpu: Adding to iommu group 1 [Wed May 6 11:25:51 2026] vc4-drm axi:gpu: bcm2712_iommu_attach_dev: MMU 1000005200.iommu [Wed May 6 11:25:51 2026] vc4-drm axi:gpu: bound 107c580000.hvs (ops vc4_hvs_ops [vc4]) [Wed May 6 11:25:51 2026] Registered IR keymap rc-cec [Wed May 6 11:25:51 2026] rc rc0: vc4-hdmi-0 as /devices/platform/soc@107c000000/107c701400.hdmi/rc/rc0 [Wed May 6 11:25:51 2026] input: vc4-hdmi-0 as /devices/platform/soc@107c000000/107c701400.hdmi/rc/rc0/input1 [Wed May 6 11:25:51 2026] input: vc4-hdmi-0 HDMI Jack as /devices/platform/soc@107c000000/107c701400.hdmi/sound/card0/input2 [Wed May 6 11:25:51 2026] vc4-drm axi:gpu: bound 107c701400.hdmi (ops vc4_hdmi_ops [vc4]) [Wed May 6 11:25:51 2026] Registered IR keymap rc-cec [Wed May 6 11:25:51 2026] rc rc1: vc4-hdmi-1 as /devices/platform/soc@107c000000/107c706400.hdmi/rc/rc1 [Wed May 6 11:25:51 2026] input: vc4-hdmi-1 as /devices/platform/soc@107c000000/107c706400.hdmi/rc/rc1/input3 [Wed May 6 11:25:51 2026] input: vc4-hdmi-1 HDMI Jack as /devices/platform/soc@107c000000/107c706400.hdmi/sound/card1/input4 [Wed May 6 11:25:51 2026] vc4-drm axi:gpu: bound 107c706400.hdmi (ops vc4_hdmi_ops [vc4]) [Wed May 6 11:25:51 2026] vc4-drm axi:gpu: bound 107c500000.mop (ops vc4_txp_ops [vc4]) [Wed May 6 11:25:51 2026] vc4-drm axi:gpu: bound 107c501000.moplet (ops vc4_txp_ops [vc4]) [Wed May 6 11:25:51 2026] vc4-drm axi:gpu: bound 107c410000.pixelvalve (ops vc4_crtc_ops [vc4]) [Wed May 6 11:25:51 2026] vc4-drm axi:gpu: bound 107c411000.pixelvalve (ops vc4_crtc_ops [vc4]) [Wed May 6 11:25:51 2026] [drm] Initialized vc4 0.0.0 for axi:gpu on minor 1 [Wed May 6 11:25:51 2026] vc4-drm axi:gpu: [drm] Cannot find any crtc or sizes [Wed May 6 11:25:51 2026] vc4-drm axi:gpu: [drm] Cannot find any crtc or sizes [Wed May 6 11:25:51 2026] vc4-drm axi:gpu: [drm] Cannot find any crtc or sizes [Wed May 6 11:25:52 2026] brcmfmac: brcmf_c_process_txcap_blob: no txcap_blob available (err=-2) [Wed May 6 11:25:52 2026] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4345/6 wl0: Aug 29 2023 01:47:08 version 7.45.265 (28bca26 CY) FWID 01-b677b91b [Wed May 6 11:25:52 2026] Bluetooth: hci0: BCM: features 0x2f [Wed May 6 11:25:52 2026] Bluetooth: hci0: BCM43455 37.4MHz Raspberry Pi 3+-0190 [Wed May 6 11:25:52 2026] Bluetooth: hci0: BCM4345C0 (003.001.025) build 0382 [Wed May 6 11:25:52 2026] Bluetooth: hci0: BCM: Using default device address (43:45:c0:00:1f:ac) [Wed May 6 11:25:54 2026] Bluetooth: BNEP (Ethernet Emulation) ver 1.3 [Wed May 6 11:25:54 2026] Bluetooth: BNEP filters: protocol multicast [Wed May 6 11:25:54 2026] Bluetooth: BNEP socket layer initialized [Wed May 6 11:25:54 2026] Bluetooth: MGMT ver 1.23 [Wed May 6 11:25:54 2026] NET: Registered PF_ALG protocol family [Wed May 6 11:25:54 2026] Bluetooth: RFCOMM TTY layer initialized [Wed May 6 11:25:54 2026] Bluetooth: RFCOMM socket layer initialized [Wed May 6 11:25:54 2026] Bluetooth: RFCOMM ver 1.11 [Wed May 6 11:25:56 2026] macb 1f00100000.ethernet eth0: PHY [1f00100000.ethernet-ffffffff:01] driver [Broadcom BCM54213PE] (irq=POLL) [Wed May 6 11:25:56 2026] macb 1f00100000.ethernet eth0: configuring for phy/rgmii-id link mode [Wed May 6 11:25:56 2026] macb 1f00100000.ethernet: gem-ptp-timer ptp clock registered. [Wed May 6 11:26:00 2026] tun: Universal TUN/TAP device driver, 1.6 [Wed May 6 11:26:07 2026] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this. [Wed May 6 11:26:07 2026] Bridge firewalling registered [Wed May 6 11:26:07 2026] Initializing XFRM netlink socket [Wed May 6 11:26:37 2026] macb 1f00100000.ethernet eth0: Link is Up - 1Gbps/Full - flow control off ## journalctl kernel parted
