Hello! Jakub Wilk has been performing fuzz testing and found a crash bug in blkid that seems to be from reading from a buffer out of bounds. Original message quoted below. Test file attached. Original bug report is also available at: http://bugs.debian.org/775374 Regards, Andreas Henriksson ----- Forwarded message from Jakub Wilk <jwilk@xxxxxxxxxx> ----- Date: Wed, 14 Jan 2015 21:52:14 +0100 From: Jakub Wilk <jwilk@xxxxxxxxxx> To: Debian Bug Tracking System <submit@xxxxxxxxxxxxxxx> Subject: Bug#775374: blkid: buffer over-read User-Agent: Mutt/1.5.23 (2014-03-12) Package: util-linux Version: 2.25.2-4 Usertags: afl blkid crashes on the attached file: $ /sbin/blkid crash.blk Segmentation fault Valgrind says it's a buffer over-read: ==1134== Invalid read of size 1 ==1134== at 0x4075FEC: crc64 (crc64.c:102) ==1134== by 0x40675A1: bcache_crc64 (bcache.c:98) ==1134== by 0x4067647: probe_bcache (bcache.c:111) ==1134== by 0x406E945: superblocks_probe (superblocks.c:403) ==1134== by 0x406ECB5: superblocks_safeprobe (superblocks.c:464) ==1134== by 0x405D029: blkid_do_safeprobe (probe.c:1183) ==1134== by 0x40615B6: blkid_verify (verify.c:161) ==1134== by 0x4056B02: blkid_get_dev (devname.c:82) ==1134== by 0x804CA5F: main (blkid.c:928) ==1134== Address 0x424cc24 is 0 bytes after a block of size 2,284 alloc'd ==1134== at 0x402B0D5: calloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==1134== by 0x405B995: blkid_probe_get_buffer (probe.c:581) ==1134== by 0x40675EE: probe_bcache (bcache.c:105) ==1134== by 0x406E945: superblocks_probe (superblocks.c:403) ==1134== by 0x406ECB5: superblocks_safeprobe (superblocks.c:464) ==1134== by 0x405D029: blkid_do_safeprobe (probe.c:1183) ==1134== by 0x40615B6: blkid_verify (verify.c:161) ==1134== by 0x4056B02: blkid_get_dev (devname.c:82) ==1134== by 0x804CA5F: main (blkid.c:928) This bug was found using American fuzzy lop: https://packages.debian.org/experimental/afl Disclaimer: I don't have spare CPU cycles, so I fuzzed only till the first crash (which took a few seconds). It's likely that extensive fuzzing would uncover more interesting crashers. I'd encourage util-linux maintainers to perform fuzzing with AFL on their own. :-) -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (990, 'unstable'), (500, 'experimental') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages util-linux depends on: ii initscripts 2.88dsf-58 ii libblkid1 2.25.2-4 ii libc6 2.19-13 ii libmount1 2.25.2-4 ii libncurses5 5.9+20140913-1+b1 ii libpam0g 1.1.8-3.1 ii libselinux1 2.3-2 ii libslang2 2.3.0-2 ii libsmartcols1 2.25.2-4 ii libtinfo5 5.9+20140913-1+b1 ii libuuid1 2.25.2-4 ii lsb-base 4.1+Debian13+nmu1 ii tzdata 2014j-1 ii zlib1g 1:1.2.8.dfsg-2+b1 -- Jakub Wilk ----- End forwarded message -----
Attachment:
crash.blk
Description: Binary data
