[jwilk@debian.org: Bug#775374: blkid: buffer over-read]

[jwilk@debian.org: Bug#775374: blkid: buffer over-read]

[Andreas Henriksson]

[-- Attachment #1: Type: text/plain, Size: 3140 bytes --]

Hello!

Jakub Wilk has been performing fuzz testing and found a crash bug in
blkid that seems to be from reading from a buffer out of bounds.

Original message quoted below. Test file attached.

Original bug report is also available at:
http://bugs.debian.org/775374


Regards,
Andreas Henriksson

----- Forwarded message from Jakub Wilk <jwilk@debian.org> -----

Date: Wed, 14 Jan 2015 21:52:14 +0100
From: Jakub Wilk <jwilk@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#775374: blkid: buffer over-read
User-Agent: Mutt/1.5.23 (2014-03-12)

Package: util-linux
Version: 2.25.2-4
Usertags: afl

blkid crashes on the attached file:

$ /sbin/blkid crash.blk
Segmentation fault


Valgrind says it's a buffer over-read:

==1134== Invalid read of size 1
==1134==    at 0x4075FEC: crc64 (crc64.c:102)
==1134==    by 0x40675A1: bcache_crc64 (bcache.c:98)
==1134==    by 0x4067647: probe_bcache (bcache.c:111)
==1134==    by 0x406E945: superblocks_probe (superblocks.c:403)
==1134==    by 0x406ECB5: superblocks_safeprobe (superblocks.c:464)
==1134==    by 0x405D029: blkid_do_safeprobe (probe.c:1183)
==1134==    by 0x40615B6: blkid_verify (verify.c:161)
==1134==    by 0x4056B02: blkid_get_dev (devname.c:82)
==1134==    by 0x804CA5F: main (blkid.c:928)
==1134==  Address 0x424cc24 is 0 bytes after a block of size 2,284 alloc'd
==1134==    at 0x402B0D5: calloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==1134==    by 0x405B995: blkid_probe_get_buffer (probe.c:581)
==1134==    by 0x40675EE: probe_bcache (bcache.c:105)
==1134==    by 0x406E945: superblocks_probe (superblocks.c:403)
==1134==    by 0x406ECB5: superblocks_safeprobe (superblocks.c:464)
==1134==    by 0x405D029: blkid_do_safeprobe (probe.c:1183)
==1134==    by 0x40615B6: blkid_verify (verify.c:161)
==1134==    by 0x4056B02: blkid_get_dev (devname.c:82)
==1134==    by 0x804CA5F: main (blkid.c:928)


This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl

Disclaimer: I don't have spare CPU cycles, so I fuzzed only till the first
crash (which took a few seconds). It's likely that extensive fuzzing would
uncover more interesting crashers. I'd encourage util-linux maintainers to
perform fuzzing with AFL on their own. :-)


-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages util-linux depends on:
ii  initscripts    2.88dsf-58
ii  libblkid1      2.25.2-4
ii  libc6          2.19-13
ii  libmount1      2.25.2-4
ii  libncurses5    5.9+20140913-1+b1
ii  libpam0g       1.1.8-3.1
ii  libselinux1    2.3-2
ii  libslang2      2.3.0-2
ii  libsmartcols1  2.25.2-4
ii  libtinfo5      5.9+20140913-1+b1
ii  libuuid1       2.25.2-4
ii  lsb-base       4.1+Debian13+nmu1
ii  tzdata         2014j-1
ii  zlib1g         1:1.2.8.dfsg-2+b1

-- 
Jakub Wilk



----- End forwarded message -----

[-- Attachment #2: crash.blk --]
[-- Type: application/octet-stream, Size: 8192 bytes --]

Re: [jwilk@debian.org: Bug#775374: blkid: buffer over-read]

[Karel Zak]

On Thu, Jan 15, 2015 at 10:57:22AM +0100, Andreas Henriksson wrote:
> Jakub Wilk has been performing fuzz testing and found a crash bug in
> blkid that seems to be from reading from a buffer out of bounds.
> 
> Original message quoted below. Test file attached.
> 
> Original bug report is also available at:
> http://bugs.debian.org/775374

 Fixed by commit 861b11d5e24c5db463463fb6c047e72456597a5b.

 Thanks!
    Karel

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com