Bug 104311 - Out of bounds read in test suite of e2fsprogs
Summary: Out of bounds read in test suite of e2fsprogs
Status: RESOLVED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: ext2 (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: fs_ext2@kernel-bugs.osdl.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-09 15:23 UTC by Hanno Boeck
Modified: 2020-02-13 09:03 UTC (History)
1 user (show)

See Also:
Kernel Version: 4.2.0
Tree: Mainline
Regression: No


Attachments
fix tst_badblocks test memory access (681 bytes, patch)
2015-09-09 15:23 UTC, Hanno Boeck
Details | Diff

Description Hanno Boeck 2015-09-09 15:23:41 UTC
Created attachment 187181 [details]
fix tst_badblocks test memory access

When compiling e2fsprogs with address sanitizer enabled and run "make check" it will show an out of bounds heap read error.

The reason is in the file tst_badblocks.c. The test arrays are supposed
to be zero-terminated (there's a loop iterating over them that will
cause the oob), however test2 doesn't have a zero at the end. Patch attached.

To reproduce:
./configure CFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address"
make
make check

Error message:
==26295==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000063b3f0 at pc 0x0000004026c0 bp 0x7fff3876edd0 sp 0x7fff3876edc0
READ of size 4 at 0x00000063b3f0 thread T0
    #0 0x4026bf in create_test_list (/mnt/ram/e2fsprogs-1.42.13/lib/ext2fs/tst_badblocks+0x4026bf)
    #1 0x40383d in main (/mnt/ram/e2fsprogs-1.42.13/lib/ext2fs/tst_badblocks+0x40383d)
    #2 0x7fc4a97ad7af in __libc_start_main (/lib64/libc.so.6+0x207af)
    #3 0x4023f8 in _start (/mnt/ram/e2fsprogs-1.42.13/lib/ext2fs/tst_badblocks+0x4023f8)

0x00000063b3f0 is located 0 bytes to the right of global variable 'test2' defined in 'tst_badblocks.c:33:7' (0x63b3c0) of size 48
0x00000063b3f0 is located 48 bytes to the left of global variable 'test3' defined in 'tst_badblocks.c:34:7' (0x63b420) of size 52
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 create_test_list
Shadow bytes around the buggy address:
  0x0000800bf620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bf630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bf640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bf650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bf660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800bf670: 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00[f9]f9
  0x0000800bf680: f9 f9 f9 f9 00 00 00 00 00 00 04 f9 f9 f9 f9 f9
  0x0000800bf690: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0000800bf6a0: 00 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9
  0x0000800bf6b0: 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0000800bf6c0: 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==26295==ABORTING

Note You need to log in before you can comment on or make changes to this bug.