Bug#871539: e2fsck: buffer underwrite in raw_read_blk()

[Jakub Wilk]

Package: e2fsprogs
Version: 1.43.5-1

$ gzip -d underwrite.ext2.gz
$ valgrind /sbin/e2fsck -f -y underwrite.ext2 > /dev/null
==6645== Memcheck, a memory error detector
==6645== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==6645== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==6645== Command: /sbin/e2fsck -f -y underwrite.ext2
==6645==
e2fsck 1.43.5 (04-Aug-2017)
==6645== Invalid write of size 1
==6645==    at 0x48349C0: memset (in 
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==6645==    by 0x4892A2E: memset (string3.h:90)
==6645==    by 0x4892A2E: raw_read_blk (unix_io.c:250)
==6645==    by 0x48936FE: unix_read_blk64.part.5 (unix_io.c:862)
==6645==    by 0x4880D82: ext2fs_read_inode_full (inode.c:803)
==6645==    by 0x4880FF4: ext2fs_read_inode (inode.c:845)
==6645==    by 0x11745F: check_resize_inode (super.c:346)
==6645==    by 0x1126C0: main (unix.c:1761)
==6645==  Address 0x4affac7 is 1 bytes before a block of size 1,024 alloc'd
==6645==    at 0x482E2BC: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==6645==    by 0x488198D: ext2fs_get_mem (ext2fs.h:1740)
==6645==    by 0x488198D: io_channel_alloc_buf (io_manager.c:140)
==6645==    by 0x4892CDE: alloc_cache (unix_io.c:401)
==6645==    by 0x4893CEE: unix_open_channel (unix_io.c:644)
==6645==    by 0x4885046: ext2fs_open2 (openfs.c:160)
==6645==    by 0x1151AA: try_open_fs (unix.c:1141)
==6645==    by 0x1120E3: main (unix.c:1447)
...


Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Architecture: i386

Versions of packages e2fsprogs depends on:
ii  e2fslibs    1.43.5-1
ii  libblkid1   2.29.2-2
ii  libc6       2.24-14
ii  libcomerr2  1.43.5-1
ii  libss2      1.43.5-1
ii  libuuid1    2.29.2-2
ii  util-linux  2.29.2-2

--
Jakub Wilk

underwrite.ext2.gz
Description: application/gzip