debugfs crash with `-D_FORTIFY_SOURCE=3`

Question

debugfs crash with `-D_FORTIFY_SOURCE=3`

Closed this issue a year ago · 3 comments

Noticed when running unblob's test suite.

# debugfs -R 'rdump / /var/tmp/portage/app-forensics/unblob-23.5.31/temp/pytest-of-portage/pytest-0/test_all_handlers_filesystem_e0/f_badsymlinks.img_extract//lost+found /var/tmp/portage/app-forensics/unblob-23.5.31/work/unblob-23.5.31/tests/integration/filesystem/extfs/__input__/f_badsymlinks.img
debugfs 1.47.0 (5-Feb-2023)
rdump: No such file or directory while creating symlink  -> /var/tmp/portage/app-forensics/unblob-23.5.31/temp/pytest-of-portage/pytest-0/test_all_handlers_filesystem_e0/f_badsymlinks.img_extract//lost+found//empty_link
*** buffer overflow detected ***: terminated
Aborted (core dumped)

Program received signal SIGABRT, Aborted.
0x00007ffff7d5024c in ?? () from /usr/lib64/libc.so.6
(gdb) bt
#0  0x00007ffff7d5024c in ?? () from /usr/lib64/libc.so.6
#1  0x00007ffff7cffad6 in raise () from /usr/lib64/libc.so.6
#2  0x00007ffff7ce8877 in abort () from /usr/lib64/libc.so.6
#3  0x00007ffff7ce97b8 in ?? () from /usr/lib64/libc.so.6
#4  0x00007ffff7de387b in __fortify_fail () from /usr/lib64/libc.so.6
#5  0x00007ffff7de1fe6 in __chk_fail () from /usr/lib64/libc.so.6
#6  0x00007ffff7de1826 in __strcpy_chk () from /usr/lib64/libc.so.6
#7  0x0000555555563f1f in ?? ()
#8  0x00005555555641c5 in ?? ()
#9  0x00007ffff7f446d6 in ext2fs_process_dir_block (fs=0x55555558c2c0, blocknr=0x7fffffffdca0, blockcnt=<optimized out>, ref_block=<optimized out>, ref_offset=<optimized out>, priv_data=<optimized out>)
    at /usr/src/debug/sys-fs/e2fsprogs-1.47.0-r2/e2fsprogs-1.47.0/lib/ext2fs/dir_iterate.c:256
#10 0x00007ffff7f3efc7 in ext2fs_block_iterate3 (fs=0x55555558c2c0, ino=2, flags=8, block_buf=0x0, func=0x7ffff7f44550 <ext2fs_process_dir_block>, priv_data=0x7fffffffde30)
    at /usr/src/debug/sys-fs/e2fsprogs-1.47.0-r2/e2fsprogs-1.47.0/lib/ext2fs/block.c:526
#11 0x00007ffff7f3fb55 in ext2fs_block_iterate3 (fs=fs@entry=0x55555558c2c0, ino=ino@entry=2, flags=flags@entry=8, block_buf=block_buf@entry=0x0, func=func@entry=0x7ffff7f44550 <ext2fs_process_dir_block>,
    priv_data=priv_data@entry=0x7fffffffde30) at /usr/src/debug/sys-fs/e2fsprogs-1.47.0-r2/e2fsprogs-1.47.0/lib/ext2fs/block.c:568
#12 0x00007ffff7f44b85 in ext2fs_dir_iterate2 (priv_data=0x7fffffffdeb0, func=0x7ffff7f444e0 <xlate_func>, block_buf=0x0, flags=<optimized out>, dir=2, fs=0x55555558c2c0)
    at /usr/src/debug/sys-fs/e2fsprogs-1.47.0-r2/e2fsprogs-1.47.0/lib/ext2fs/dir_iterate.c:126
#13 ext2fs_dir_iterate2 (fs=0x55555558c2c0, dir=2, flags=<optimized out>, block_buf=0x0, func=0x7ffff7f444e0 <xlate_func>, priv_data=0x7fffffffdeb0)
    at /usr/src/debug/sys-fs/e2fsprogs-1.47.0-r2/e2fsprogs-1.47.0/lib/ext2fs/dir_iterate.c:92
#14 0x00007ffff7f44bf0 in ext2fs_dir_iterate (fs=<optimized out>, dir=<optimized out>, flags=<optimized out>, block_buf=<optimized out>, func=<optimized out>, priv_data=<optimized out>)
    at /usr/src/debug/sys-fs/e2fsprogs-1.47.0-r2/e2fsprogs-1.47.0/lib/ext2fs/dir_iterate.c:174
#15 0x0000555555563f64 in ?? ()
#16 0x000055555556442b in ?? ()
#17 0x00007ffff7f16373 in check_request_table (rqtbl=<optimized out>, sci_idx=<optimized out>, argv=0x555555591930, argc=3)
    at /usr/src/debug/sys-fs/e2fsprogs-1.47.0-r2/e2fsprogs-1.47.0/lib/ss/execute_cmd.c:103
#18 really_execute_command (sci_idx=sci_idx@entry=1, argc=3, argv=argv@entry=0x7fffffffe110) at /usr/src/debug/sys-fs/e2fsprogs-1.47.0-r2/e2fsprogs-1.47.0/lib/ss/execute_cmd.c:141
#19 0x00007ffff7f16578 in ss_execute_line (sci_idx=1, line_ptr=<optimized out>) at /usr/src/debug/sys-fs/e2fsprogs-1.47.0-r2/e2fsprogs-1.47.0/lib/ss/execute_cmd.c:224
#20 0x000055555555b2e0 in ?? ()
#21 0x00007ffff7ce9d50 in ?? () from /usr/lib64/libc.so.6
#22 0x00007ffff7ce9e09 in __libc_start_main () from /usr/lib64/libc.so.6
#23 0x000055555555b3f5 in ?? ()

A smaller reproducer is:

$ mkdir /tmp/foo && debugfs -R 'rdump / /tmp/foo' f_badsymlinks.img
debugfs 1.47.0 (5-Feb-2023)
rdump: No such file or directory while creating symlink  -> /tmp/foo//empty_link
*** buffer overflow detected ***: terminated
Aborted (core dumped)

This is with GCC 13.1.1 20230701, -D_FORTIFY_SOURCE=3, glibc-2.37, and e2fsprogs-1.47.0 on amd64.

Attached f_badsymlinks.img (from the unblob test suite): f_badsymlinks.img.gz

Answer 1 · 2024-04-25T17:10:37.000Z

This looks like it has been fixed upstream. I just tried building with --enable-hardening with FORTIFY_SOURCE set to 3, and running the regression test, and it's passing 100%. I suspect it was fixed when we added --enable-asan and --enable-ubsan and fixed up any issues that were detected by these sanitizers.

Answer 2 · 2024-10-01T09:29:59.000Z

I can still reproduce it in unblob's tests suite using v1.47.1. Note, that unblob's docker container and nix has e2fsprogs built without fortify so that this error doesn't trigger by default.

Answer 3 · 2024-10-01T09:49:53.000Z

Repro:
debugfs -R "rdump / $(mktemp -d)" tests/integration/filesystem/extfs/__input__/f_badsymlinks.img

the test file in question is https://github.com/onekey-sec/unblob/blob/main/tests/integration/filesystem/extfs/__input__/f_badsymlinks.img