| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 09 Sep 2015 15:23:41 +0000
From: bugzilla-daemon@...zilla.kernel.org
To: linux-ext4@...r.kernel.org
Subject: [Bug 104311] New: Out of bounds read in test suite of e2fsprogs
https://bugzilla.kernel.org/show_bug.cgi?id=104311
Bug ID: 104311
Summary: Out of bounds read in test suite of e2fsprogs
Product: File System
Version: 2.5
Kernel Version: 4.2.0
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: ext2
Assignee: fs_ext2@...nel-bugs.osdl.org
Reporter: hanno@...eck.de
Regression: No
Created attachment 187181
--> https://bugzilla.kernel.org/attachment.cgi?id=187181&action=edit
fix tst_badblocks test memory access
When compiling e2fsprogs with address sanitizer enabled and run "make check" it
will show an out of bounds heap read error.
The reason is in the file tst_badblocks.c. The test arrays are supposed
to be zero-terminated (there's a loop iterating over them that will
cause the oob), however test2 doesn't have a zero at the end. Patch attached.
To reproduce:
./configure CFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address"
make
make check
Error message:
==26295==ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000063b3f0 at pc 0x0000004026c0 bp 0x7fff3876edd0 sp 0x7fff3876edc0
READ of size 4 at 0x00000063b3f0 thread T0
#0 0x4026bf in create_test_list
(/mnt/ram/e2fsprogs-1.42.13/lib/ext2fs/tst_badblocks+0x4026bf)
#1 0x40383d in main
(/mnt/ram/e2fsprogs-1.42.13/lib/ext2fs/tst_badblocks+0x40383d)
#2 0x7fc4a97ad7af in __libc_start_main (/lib64/libc.so.6+0x207af)
#3 0x4023f8 in _start
(/mnt/ram/e2fsprogs-1.42.13/lib/ext2fs/tst_badblocks+0x4023f8)
0x00000063b3f0 is located 0 bytes to the right of global variable 'test2'
defined in 'tst_badblocks.c:33:7' (0x63b3c0) of size 48
0x00000063b3f0 is located 48 bytes to the left of global variable 'test3'
defined in 'tst_badblocks.c:34:7' (0x63b420) of size 52
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 create_test_list
Shadow bytes around the buggy address:
0x0000800bf620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bf630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bf640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bf650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bf660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800bf670: 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00[f9]f9
0x0000800bf680: f9 f9 f9 f9 00 00 00 00 00 00 04 f9 f9 f9 f9 f9
0x0000800bf690: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000800bf6a0: 00 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9
0x0000800bf6b0: 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000800bf6c0: 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==26295==ABORTING
--
You are receiving this mail because:
You are watching the assignee of the bug.
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists