Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 916028 - sys-fs/mtools: buffer overflow with mcopy with _FORTIFY_SOURCE=3 when built with -O3
Summary: sys-fs/mtools: buffer overflow with mcopy with _FORTIFY_SOURCE=3 when built w...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks: 847148
  Show dependency tree
 
Reported: 2023-10-19 22:51 UTC by Sam James
Modified: 2024-06-03 16:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
[PATCH] vfat: fix out-of-bounds write in autorename (0001-vfat-fix-out-of-bounds-write-in-autorename.patch,1.08 KB, patch)
2023-11-25 22:46 UTC, Arsen Arsenović 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-19 22:51:24 UTC 
Reported by Arsen, filing so we don't forget about it...

Needs -O3. Happens with _F_S=3.

```
$ fallocate -l 1GiB image ; mkfs.vfat -F 16 -n ESP image ; mcopy -i image /dev/null ::/limine-bios.sys
mkfs.fat 4.2 (2021-01-31)
*** buffer overflow detected ***: terminated
Aborted (core dumped)
```

Under gdb:
```
Program received signal SIGABRT, Aborted.
0x00007ffff7e4a31c in ?? () from /usr/lib64/libc.so.6
(gdb) bt
#0  0x00007ffff7e4a31c in ?? () from /usr/lib64/libc.so.6
#1  0x00007ffff7df10d6 in raise () from /usr/lib64/libc.so.6
#2  0x00007ffff7dd88ce in abort () from /usr/lib64/libc.so.6
#3  0x00007ffff7dd9969 in ?? () from /usr/lib64/libc.so.6
#4  0x00007ffff7ed222b in __fortify_fail () from /usr/lib64/libc.so.6
#5  0x00007ffff7ed1b96 in __chk_fail () from /usr/lib64/libc.so.6
#6  0x00007ffff7e34ee1 in ?? () from /usr/lib64/libc.so.6
#7  0x00007ffff7ed33db in __sprintf_chk () from /usr/lib64/libc.so.6
#8  0x000055555557b5f8 in sprintf (__fmt=0x555555582eaf "%c%d", __s=<optimized out>) at /usr/include/bits/stdio2.h:30
#9  autorename (tilda=126 '~', dot=32 ' ', limit=8, bump=0, illegals=<optimized out>, name=0x7fffffffc614 "LIMINE~1SYS") at vfat.c:130
#10 autorename_short (name=name@entry=0x7fffffffc614, bump=bump@entry=0) at vfat.c:142
#11 0x000055555556326a in dos_name (toDos=0x5555555ac1c0, name=0x7fffffffca70 "limine-bios.sys", verbose=<optimized out>, mangled=0x7fffffffc5ec, dn=0x7fffffffc614) at file_name.c:134
#12 0x0000555555570f60 in convert_to_shortname (dn=0x7fffffffc614, un=0x7fffffffca70 "limine-bios.sys", ch=0x7fffffffd6e0, cp=0x5555555ac1c0) at mk_direntry.c:46
#13 _mwrite_one (Dir=Dir@entry=0x5555555aca00, argname=<optimized out>, argname@entry=0x5555555ace30 "limine-bios.sys", shortname=<optimized out>, shortname@entry=0x0, cb=cb@entry=0x5555555688c0 <writeit>,
    arg=arg@entry=0x7fffffffd1a0, ch=ch@entry=0x7fffffffd6e0) at mk_direntry.c:588
#14 0x0000555555572416 in mwrite_one (Dir=0x5555555aca00, _argname=<optimized out>, _shortname=_shortname@entry=0x0, cb=cb@entry=0x5555555688c0 <writeit>, arg=arg@entry=0x7fffffffd1a0,
    ch=ch@entry=0x7fffffffd6e0) at mk_direntry.c:665
#15 0x000055555556957e in dos_write (needfilter=1, mp=0x7fffffffd1d0, entry=0x0) at mcopy.c:464
#16 unix_to_dos (mp=0x7fffffffd1d0) at mcopy.c:569
#17 0x00005555555669c4 in unix_loop (Stream=Stream@entry=0x0, mp=mp@entry=0x7fffffffd1d0, arg=0x7fffffffdce1 "/dev/null", follow_dir_link=follow_dir_link@entry=1) at mainloop.c:151
#18 0x0000555555566d6a in main_loop (mp=mp@entry=0x7fffffffd1d0, argv=0x7fffffffd8f0, argc=argc@entry=1) at mainloop.c:535
#19 0x0000555555569d62 in mcopy (argc=<optimized out>, argv=0x7fffffffd8d8, mtype=<optimized out>) at mcopy.c:719
#20 0x000055555555877b in main (argc=<optimized out>, argv=<optimized out>) at mtools.c:170
(gdb)
```

Unrelated, but I get this with ubsan:

```
$ fallocate -l 1GiB image ; mkfs.vfat -F 16 -n ESP image ; mcopy -i image /dev/null ::/limine-bios.sys
 mkfs.fat 4.2 (2021-01-31)

 fat.c:216:36: runtime error: left shift of 1 by 63 places cannot be represented in type 'long long int'
     #0 0x56431002de2b in loadSector /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/fat.c:216
     #1 0x56431005581f in getAddress /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/fat.c:248
     #2 0x5643100565a3 in check_media_type /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/fat.c:685
     #3 0x56431005abb8 in old_fat_read /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/fat.c:759
     #4 0x56431005abb8 in fat_read /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/fat.c:785
     #5 0x564310075197 in fs_init /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/init.c:582
     #6 0x5643100d5e80 in open_root_dir /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/streamcache.c:65
     #7 0x56431007b757 in common_dos_loop /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mainloop.c:437
     #8 0x56431007d146 in dos_target_lookup /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mainloop.c:481
     #9 0x56431008a5ca in target_lookup /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mcopy.c:163
     #10 0x56431008b246 in mcopy /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mcopy.c:697
     #11 0x564310037561 in main /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mtools.c:170
     #12 0x7fcd8d84a346  (/usr/lib64/libc.so.6+0x24346)
     #13 0x7fcd8d84a408 in __libc_start_main (/usr/lib64/libc.so.6+0x24408)
     #14 0x564310037fa4  (/usr/bin/mtools+0x14fa4)

 directory.c:116:40: runtime error: left shift of negative value -10
     #0 0x558f460c9636 in mk_entry /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/directory.c:116
     #1 0x558f460ebfb6 in mk_entry_from_base /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/directory.c:142
     #2 0x558f46102682 in OpenRoot /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/file.c:768
     #3 0x558f46117757 in common_dos_loop /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mainloop.c:437
     #4 0x558f46119146 in dos_target_lookup /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mainloop.c:481
     #5 0x558f461265ca in target_lookup /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mcopy.c:163
     #6 0x558f46127246 in mcopy /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mcopy.c:697
     #7 0x558f460d3561 in main /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mtools.c:170
     #8 0x7f4be324a346  (/usr/lib64/libc.so.6+0x24346)
     #9 0x7f4be324a408 in __libc_start_main (/usr/lib64/libc.so.6+0x24408)
     #10 0x558f460d3fa4  (/usr/bin/mtools+0x14fa4)

```
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-19 22:51:46 UTC 
It looks like mtools bug reports go to the info-mtools list.
Comment 2 Arsen Arsenović gentoo-dev 2023-11-25 19:03:28 UTC 
sam, did you end up forwarding the report upstream?  if not, I can either report it or fix it
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-11-25 19:21:46 UTC 
Iirc no
Comment 4 Arsen Arsenović gentoo-dev 2023-11-25 22:46:49 UTC 
Created attachment 875665 [details, diff]
[PATCH] vfat: fix out-of-bounds write in autorename

patch sent upstream, we could include it downstream too probably.. though i didn't stress test it too hard (but usages of autorename seem to indicate this should be okay..)
Comment 5 Larry the Git Cow gentoo-dev 2024-06-03 01:05:35 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c595962e5b3a1f3df970c2ff1bce3354b7d116f

commit 3c595962e5b3a1f3df970c2ff1bce3354b7d116f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-06-03 00:50:21 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-06-03 01:04:54 +0000

    sys-fs/mtools: add 4.0.44
    
    Switch to .lz because xz-utils can unpack it these days.
    
    Closes: https://bugs.gentoo.org/916028
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-fs/mtools/Manifest             |  1 +
 sys-fs/mtools/mtools-4.0.44.ebuild | 54 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)
Comment 6 Arsen Arsenović gentoo-dev 2024-06-03 01:51:22 UTC 
has the fix been verified, just to be clear?
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-06-03 01:52:58 UTC 
(In reply to Arsen Arsenović from comment #6)
> has the fix been verified, just to be clear?

No - I saw his response to you on the ML and just went with it. (I forgot the invocation to reproduce it and forgot I filed this bug until I was just about to push...)
Comment 8 Arsen Arsenović gentoo-dev 2024-06-03 16:36:23 UTC 
ah, I missed it because the reply wasn't addressed to me.  very well