Bug#775374: blkid: buffer over-read

[Andreas Henriksson]

Control: tags -1 + fixed-upstream

Hello Jakub Wilk!


On Wed, Jan 14, 2015 at 09:52:14PM +0100, Jakub Wilk wrote:
 blkid crashes on the attached file:
 
 $ /sbin/blkid crash.blk
 Segmentation fault
 
 
 Valgrind says it's a buffer over-read:
[...]

Thanks for your bug report and testcase. I forwarded it upstream
and it was quickly adressed in
https://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit/?id=861b11d5e24c5db463463fb6c047e72456597a5b

This should be part of upcoming v2.26-rc2.

Please feel free to include the upstream mailing list in any
future findings.

Regards,
Andreas Henriksson


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#775374: blkid: buffer over-read

[Jakub Wilk]

Package: util-linux
Version: 2.25.2-4
Usertags: afl

blkid crashes on the attached file:

$ /sbin/blkid crash.blk
Segmentation fault


Valgrind says it's a buffer over-read:

==1134== Invalid read of size 1
==1134==at 0x4075FEC: crc64 (crc64.c:102)
==1134==by 0x40675A1: bcache_crc64 (bcache.c:98)
==1134==by 0x4067647: probe_bcache (bcache.c:111)
==1134==by 0x406E945: superblocks_probe (superblocks.c:403)
==1134==by 0x406ECB5: superblocks_safeprobe (superblocks.c:464)
==1134==by 0x405D029: blkid_do_safeprobe (probe.c:1183)
==1134==by 0x40615B6: blkid_verify (verify.c:161)
==1134==by 0x4056B02: blkid_get_dev (devname.c:82)
==1134==by 0x804CA5F: main (blkid.c:928)
==1134==  Address 0x424cc24 is 0 bytes after a block of size 2,284 alloc'd
==1134==at 0x402B0D5: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==1134==by 0x405B995: blkid_probe_get_buffer (probe.c:581)
==1134==by 0x40675EE: probe_bcache (bcache.c:105)
==1134==by 0x406E945: superblocks_probe (superblocks.c:403)
==1134==by 0x406ECB5: superblocks_safeprobe (superblocks.c:464)
==1134==by 0x405D029: blkid_do_safeprobe (probe.c:1183)
==1134==by 0x40615B6: blkid_verify (verify.c:161)
==1134==by 0x4056B02: blkid_get_dev (devname.c:82)
==1134==by 0x804CA5F: main (blkid.c:928)


This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl

Disclaimer: I don't have spare CPU cycles, so I fuzzed only till the 
first crash (which took a few seconds). It's likely that extensive 
fuzzing would uncover more interesting crashers. I'd encourage 
util-linux maintainers to perform fuzzing with AFL on their own. :-)



-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages util-linux depends on:
ii  initscripts2.88dsf-58
ii  libblkid1  2.25.2-4
ii  libc6  2.19-13
ii  libmount1  2.25.2-4
ii  libncurses55.9+20140913-1+b1
ii  libpam0g   1.1.8-3.1
ii  libselinux12.3-2
ii  libslang2  2.3.0-2
ii  libsmartcols1  2.25.2-4
ii  libtinfo5  5.9+20140913-1+b1
ii  libuuid1   2.25.2-4
ii  lsb-base   4.1+Debian13+nmu1
ii  tzdata 2014j-1
ii  zlib1g 1:1.2.8.dfsg-2+b1

--
Jakub Wilk


crash.blk
Description: Binary data