On Tue, Dec 23, 2014 at 12:51:14PM +0100, Jakub Wilk wrote: > Package: e2fsprogs > Version: 1.42.12-1 > Usertags: afl > > fsck.ext2 crashes when checking the attached filesystem: > > $ /sbin/fsck.ext2 -n crash.ext2 > e2fsck 1.42.12 (29-Aug-2014) > One or more block group descriptor checksums are invalid. Fix? no > > Group descriptor 0 checksum is 0xa634, should be 0x6639. IGNORED. > Group descriptor 0 has invalid unused inodes count 21. Fix? no > > crash.ext2 contains a file system with errors, check forced. > Pass 1: Checking inodes, blocks, and sizes > Signal (11) SIGSEGV si_code=SEGV_MAPERR fault addr=0x8663000 > *** Error in `/sbin/fsck.ext2': malloc(): memory corruption: 0x086529e8 *** > Aborted
Thanks for the bug report! It should be noted the crash only happens when e2fsck is run with -n. If you run with the -fy options, the crash does *not* happen. This indicates that e2fsck made an assumption that a particular filesystem inconsistency *would* be fixed, but in the case where it was not fixed, it wasn't being sufficiently paranoid --- or, if the inconsistency is so fundamental that we can not proceed if the user refuses to fix it, we should abort the e2fsck run. This is still a bug, of course, and I tend to look into getting it fixed, but in my opinion a bug fix for this issue doesn't meet the freeze criteria[1]. This is especially true since e2fsprogs is part of the installer, and the release team is generally much more conservative about package uploads which require respinning (and retesting) the installer. [1] https://release.debian.org/jessie/freeze_policy.html Many thanks, - Ted Script started on Wed 24 Dec 2014 04:29:21 PM EST Top-level shell (parent script) Using ssh-agent pid 3105 % dpkg -l e2fsprogs Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=================================-=====================-=====================-======================================================================= ii e2fsprogs 1.42.12-1 amd64 ext2/ext3/ext4 file system utilities % /bin/cp /tmp/crash.ext2 /tmp/foo.img % valgrind /sbin/e2fsck -fy /tmp/foo.img ==4870== Memcheck, a memory error detector ==4870== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==4870== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==4870== Command: /sbin/e2fsck -fy /tmp/foo.img ==4870== e2fsck 1.42.12 (29-Aug-2014) ==4870== Warning: noted but unhandled ioctl 0x4c05 with no size/direction hints. ==4870== This could cause spurious value errors to appear. ==4870== See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper. ==4870== Conditional jump or move depends on uninitialised value(s) ==4870== at 0x4E58801: check_loop_mounted (ismounted.c:67) ==4870== by 0x4E58801: check_mntent_file (ismounted.c:122) ==4870== by 0x4E58A57: check_mntent (ismounted.c:227) ==4870== by 0x4E58A57: ext2fs_check_mount_point (ismounted.c:360) ==4870== by 0x409812: check_mount (unix.c:228) ==4870== by 0x409812: main (unix.c:1242) ==4870== ==4870== Conditional jump or move depends on uninitialised value(s) ==4870== at 0x4E58801: check_loop_mounted (ismounted.c:67) ==4870== by 0x4E58801: check_mntent_file (ismounted.c:122) ==4870== by 0x4E58A7C: check_mntent (ismounted.c:236) ==4870== by 0x4E58A7C: ext2fs_check_mount_point (ismounted.c:360) ==4870== by 0x409812: check_mount (unix.c:228) ==4870== by 0x409812: main (unix.c:1242) ==4870== One or more block group descriptor checksums are invalid. Fix? yes Group descriptor 0 checksum is 0xa634, should be 0x6639. FIXED. Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Pass 5: Checking group summary information /tmp/foo.img: 11/16 files (0.0% non-contiguous), 21/64 blocks ==4870== ==4870== HEAP SUMMARY: ==4870== in use at exit: 0 bytes in 0 blocks ==4870== total heap usage: 442 allocs, 442 frees, 117,158 bytes allocated ==4870== ==4870== All heap blocks were freed -- no leaks are possible ==4870== ==4870== For counts of detected and suppressed errors, rerun with: -v ==4870== Use --track-origins=yes to see where uninitialised values come from ==4870== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) % cp /tmp/crash.ext2 /tmp/foo.img /bin/cp: overwrite ‘/tmp/foo.img’? y % valgrind /sbin/e2fsck -n /tmp/foo.img ==4884== Memcheck, a memory error detector ==4884== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==4884== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==4884== Command: /sbin/e2fsck -n /tmp/foo.img ==4884== e2fsck 1.42.12 (29-Aug-2014) ==4884== Warning: noted but unhandled ioctl 0x4c05 with no size/direction hints. ==4884== This could cause spurious value errors to appear. ==4884== See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper. ==4884== Conditional jump or move depends on uninitialised value(s) ==4884== at 0x4E58801: check_loop_mounted (ismounted.c:67) ==4884== by 0x4E58801: check_mntent_file (ismounted.c:122) ==4884== by 0x4E58A57: check_mntent (ismounted.c:227) ==4884== by 0x4E58A57: ext2fs_check_mount_point (ismounted.c:360) ==4884== by 0x409812: check_mount (unix.c:228) ==4884== by 0x409812: main (unix.c:1242) ==4884== ==4884== Conditional jump or move depends on uninitialised value(s) ==4884== at 0x4E58801: check_loop_mounted (ismounted.c:67) ==4884== by 0x4E58801: check_mntent_file (ismounted.c:122) ==4884== by 0x4E58A7C: check_mntent (ismounted.c:236) ==4884== by 0x4E58A7C: ext2fs_check_mount_point (ismounted.c:360) ==4884== by 0x409812: check_mount (unix.c:228) ==4884== by 0x409812: main (unix.c:1242) ==4884== One or more block group descriptor checksums are invalid. Fix? no Group descriptor 0 checksum is 0xa634, should be 0x6639. IGNORED. Group descriptor 0 has invalid unused inodes count 21. Fix? no /tmp/foo.img contains a file system with errors, check forced. Pass 1: Checking inodes, blocks, and sizes ==4884== Conditional jump or move depends on uninitialised value(s) ==4884== at 0x413BA7: e2fsck_pass1 (pass1.c:787) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) ==4884== ==4884== Conditional jump or move depends on uninitialised value(s) ==4884== at 0x413BB1: e2fsck_pass1 (pass1.c:813) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) ==4884== ==4884== Conditional jump or move depends on uninitialised value(s) ==4884== at 0x4141DA: e2fsck_pass1 (pass1.c:840) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) ==4884== ==4884== Conditional jump or move depends on uninitialised value(s) ==4884== at 0x414201: e2fsck_pass1 (pass1.c:842) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) ==4884== ==4884== Conditional jump or move depends on uninitialised value(s) ==4884== at 0x4142FF: e2fsck_pass1 (pass1.c:870) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) ==4884== ==4884== Conditional jump or move depends on uninitialised value(s) ==4884== at 0x414308: e2fsck_pass1 (pass1.c:870) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) ==4884== ==4884== Conditional jump or move depends on uninitialised value(s) ==4884== at 0x414311: e2fsck_pass1 (pass1.c:871) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) ==4884== ==4884== Conditional jump or move depends on uninitialised value(s) ==4884== at 0x4E49F4F: ext2fs_block_iterate3.part.0 (block.c:390) ==4884== by 0x414406: e2fsck_pass1 (pass1.c:895) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) ==4884== ==4884== Conditional jump or move depends on uninitialised value(s) ==4884== at 0x4E49F8A: ext2fs_block_iterate3.part.0 (block.c:517) ==4884== by 0x414406: e2fsck_pass1 (pass1.c:895) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) ==4884== ==4884== Conditional jump or move depends on uninitialised value(s) ==4884== at 0x4E4A0A2: ext2fs_block_iterate3.part.0 (block.c:527) ==4884== by 0x414406: e2fsck_pass1 (pass1.c:895) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) ==4884== ==4884== Conditional jump or move depends on uninitialised value(s) ==4884== at 0x4E4A0CA: ext2fs_block_iterate3.part.0 (block.c:534) ==4884== by 0x414406: e2fsck_pass1 (pass1.c:895) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) ==4884== ==4884== Conditional jump or move depends on uninitialised value(s) ==4884== at 0x4E4A0EB: ext2fs_block_iterate3.part.0 (block.c:541) ==4884== by 0x414406: e2fsck_pass1 (pass1.c:895) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) ==4884== ==4884== Invalid write of size 8 ==4884== at 0x4C2D943: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915) ==4884== by 0x4E573D1: memcpy (string3.h:51) ==4884== by 0x4E573D1: ext2fs_get_next_inode_full (inode.c:456) ==4884== by 0x413B47: e2fsck_pass1 (pass1.c:765) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) ==4884== Address 0x5eade30 is 0 bytes after a block of size 128 alloc'd ==4884== at 0x4C28C20: malloc (vg_replace_malloc.c:296) ==4884== by 0x4E57069: ext2fs_get_mem (ext2fs.h:1548) ==4884== by 0x4E57069: ext2fs_open_inode_scan (inode.c:169) ==4884== by 0x4139E8: e2fsck_pass1 (pass1.c:731) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) ==4884== ==4884== Invalid read of size 8 ==4884== at 0x4C2D94E: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915) ==4884== by 0x4E573D1: memcpy (string3.h:51) ==4884== by 0x4E573D1: ext2fs_get_next_inode_full (inode.c:456) ==4884== by 0x413B47: e2fsck_pass1 (pass1.c:765) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) ==4884== Address 0x5eadd70 is 0 bytes after a block of size 8,192 alloc'd ==4884== at 0x4C28C20: malloc (vg_replace_malloc.c:296) ==4884== by 0x4E5840F: ext2fs_get_mem (ext2fs.h:1548) ==4884== by 0x4E5840F: io_channel_alloc_buf (io_manager.c:129) ==4884== by 0x4E5703C: ext2fs_open_inode_scan (inode.c:160) ==4884== by 0x4139E8: e2fsck_pass1 (pass1.c:731) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) ==4884== ==4884== Invalid read of size 8 ==4884== at 0x4C2D940: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915) ==4884== by 0x4E573D1: memcpy (string3.h:51) ==4884== by 0x4E573D1: ext2fs_get_next_inode_full (inode.c:456) ==4884== by 0x413B47: e2fsck_pass1 (pass1.c:765) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) ==4884== Address 0x5eadd78 is 8 bytes after a block of size 8,192 alloc'd ==4884== at 0x4C28C20: malloc (vg_replace_malloc.c:296) ==4884== by 0x4E5840F: ext2fs_get_mem (ext2fs.h:1548) ==4884== by 0x4E5840F: io_channel_alloc_buf (io_manager.c:129) ==4884== by 0x4E5703C: ext2fs_open_inode_scan (inode.c:160) ==4884== by 0x4139E8: e2fsck_pass1 (pass1.c:731) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) ==4884== Signal (11) SIGSEGV si_code=SEGV_MAPERR fault addr=0x6292000 valgrind: m_mallocfree.c:278 (mk_plain_bszB): Assertion 'bszB != 0' failed. valgrind: This is probably caused by your program erroneously writing past the end of a heap block and corrupting heap metadata. If you fix any invalid writes reported by Memcheck, this assertion failure will probably go away. Please try that before reporting this as a bug. host stacktrace: ==4884== at 0x380A48EF: show_sched_status_wrk (m_libcassert.c:319) ==4884== by 0x380A49E4: report_and_quit (m_libcassert.c:390) ==4884== by 0x380A4B66: vgPlain_assert_fail (m_libcassert.c:455) ==4884== by 0x380B1AC6: mk_plain_bszB (m_mallocfree.c:278) ==4884== by 0x380B1AC6: get_bszB_as_is (m_mallocfree.c:301) ==4884== by 0x380B1AC6: get_bszB (m_mallocfree.c:312) ==4884== by 0x380B1AC6: get_next_b (m_mallocfree.c:430) ==4884== by 0x380B1AC6: vgPlain_arena_malloc (m_mallocfree.c:1736) ==4884== by 0x38072784: vgMemCheck_new_block (mc_malloc_wrappers.c:350) ==4884== by 0x38072956: vgMemCheck_malloc (mc_malloc_wrappers.c:385) ==4884== by 0x380F6D27: do_client_request (scheduler.c:1840) ==4884== by 0x380F6D27: vgPlain_scheduler (scheduler.c:1409) ==4884== by 0x38105B60: thread_wrapper (syswrap-linux.c:103) ==4884== by 0x38105B60: run_a_thread_NORETURN (syswrap-linux.c:156) sched status: running_tid=1 Thread 1: status = VgTs_Runnable ==4884== at 0x4C28C20: malloc (vg_replace_malloc.c:296) ==4884== by 0x4005049: local_strdup (dl-load.c:162) ==4884== by 0x4008399: _dl_map_object (dl-load.c:2509) ==4884== by 0x4012A24: dl_open_worker (dl-open.c:235) ==4884== by 0x400E8B3: _dl_catch_error (dl-error.c:187) ==4884== by 0x401243A: _dl_open (dl-open.c:661) ==4884== by 0x59E7401: do_dlopen (dl-libc.c:87) ==4884== by 0x400E8B3: _dl_catch_error (dl-error.c:187) ==4884== by 0x59E749E: dlerror_run (dl-libc.c:46) ==4884== by 0x59E7510: __libc_dlopen_mode (dl-libc.c:163) ==4884== by 0x59BEAF4: init (backtrace.c:52) ==4884== by 0x5C8244F: pthread_once (pthread_once.S:103) ==4884== by 0x59BEC0B: backtrace (backtrace.c:103) ==4884== by 0x427E71: die_signal_handler (sigcatcher.c:377) ==4884== by 0x590117F: ??? (in /lib/x86_64-linux-gnu/libc-2.19.so) ==4884== by 0x4C2D942: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915) ==4884== by 0x4E573D1: memcpy (string3.h:51) ==4884== by 0x4E573D1: ext2fs_get_next_inode_full (inode.c:456) ==4884== by 0x413B47: e2fsck_pass1 (pass1.c:765) ==4884== by 0x40E116: e2fsck_run (e2fsck.c:226) ==4884== by 0x409EEB: main (unix.c:1636) Note: see also the FAQ in the source distribution. It contains workarounds to several common problems. In particular, if Valgrind aborted or crashed after identifying problems in your program, there's a good chance that fixing those problems will prevent Valgrind aborting or crashing, especially if it happened in m_mallocfree.c. If that doesn't help, please report this bug to: www.valgrind.org In the bug report, send all the above text, the valgrind version, and what OS and version you are using. Thanks. % exit Script done on Wed 24 Dec 2014 04:30:12 PM EST -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
