Bug 916028

Summary:	sys-fs/mtools: buffer overflow with mcopy with _FORTIFY_SOURCE=3 when built with -O3
Product:	Gentoo Linux	Reporter:	Sam James <sam>
Component:	Current packages	Assignee:	Gentoo's Team for Core System packages <base-system>
Status:	RESOLVED FIXED
Severity:	normal	CC:	arsen
Priority:	Normal	Keywords:	PATCH
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	847148
Attachments:	[PATCH] vfat: fix out-of-bounds write in autorename

Description Sam James archtester

2023-10-19 22:51:24 UTC

Reported by Arsen, filing so we don't forget about it...

Needs -O3. Happens with _F_S=3.

```
$ fallocate -l 1GiB image ; mkfs.vfat -F 16 -n ESP image ; mcopy -i image /dev/null ::/limine-bios.sys
mkfs.fat 4.2 (2021-01-31)
*** buffer overflow detected ***: terminated
Aborted (core dumped)
```

Under gdb:
```
Program received signal SIGABRT, Aborted.
0x00007ffff7e4a31c in ?? () from /usr/lib64/libc.so.6
(gdb) bt
#0  0x00007ffff7e4a31c in ?? () from /usr/lib64/libc.so.6
#1  0x00007ffff7df10d6 in raise () from /usr/lib64/libc.so.6
#2  0x00007ffff7dd88ce in abort () from /usr/lib64/libc.so.6
#3  0x00007ffff7dd9969 in ?? () from /usr/lib64/libc.so.6
#4  0x00007ffff7ed222b in __fortify_fail () from /usr/lib64/libc.so.6
#5  0x00007ffff7ed1b96 in __chk_fail () from /usr/lib64/libc.so.6
#6  0x00007ffff7e34ee1 in ?? () from /usr/lib64/libc.so.6
#7  0x00007ffff7ed33db in __sprintf_chk () from /usr/lib64/libc.so.6
#8  0x000055555557b5f8 in sprintf (__fmt=0x555555582eaf "%c%d", __s=<optimized out>) at /usr/include/bits/stdio2.h:30
#9  autorename (tilda=126 '~', dot=32 ' ', limit=8, bump=0, illegals=<optimized out>, name=0x7fffffffc614 "LIMINE~1SYS") at vfat.c:130
#10 autorename_short (name=name@entry=0x7fffffffc614, bump=bump@entry=0) at vfat.c:142
#11 0x000055555556326a in dos_name (toDos=0x5555555ac1c0, name=0x7fffffffca70 "limine-bios.sys", verbose=<optimized out>, mangled=0x7fffffffc5ec, dn=0x7fffffffc614) at file_name.c:134
#12 0x0000555555570f60 in convert_to_shortname (dn=0x7fffffffc614, un=0x7fffffffca70 "limine-bios.sys", ch=0x7fffffffd6e0, cp=0x5555555ac1c0) at mk_direntry.c:46
#13 _mwrite_one (Dir=Dir@entry=0x5555555aca00, argname=<optimized out>, argname@entry=0x5555555ace30 "limine-bios.sys", shortname=<optimized out>, shortname@entry=0x0, cb=cb@entry=0x5555555688c0 <writeit>,
    arg=arg@entry=0x7fffffffd1a0, ch=ch@entry=0x7fffffffd6e0) at mk_direntry.c:588
#14 0x0000555555572416 in mwrite_one (Dir=0x5555555aca00, _argname=<optimized out>, _shortname=_shortname@entry=0x0, cb=cb@entry=0x5555555688c0 <writeit>, arg=arg@entry=0x7fffffffd1a0,
    ch=ch@entry=0x7fffffffd6e0) at mk_direntry.c:665
#15 0x000055555556957e in dos_write (needfilter=1, mp=0x7fffffffd1d0, entry=0x0) at mcopy.c:464
#16 unix_to_dos (mp=0x7fffffffd1d0) at mcopy.c:569
#17 0x00005555555669c4 in unix_loop (Stream=Stream@entry=0x0, mp=mp@entry=0x7fffffffd1d0, arg=0x7fffffffdce1 "/dev/null", follow_dir_link=follow_dir_link@entry=1) at mainloop.c:151
#18 0x0000555555566d6a in main_loop (mp=mp@entry=0x7fffffffd1d0, argv=0x7fffffffd8f0, argc=argc@entry=1) at mainloop.c:535
#19 0x0000555555569d62 in mcopy (argc=<optimized out>, argv=0x7fffffffd8d8, mtype=<optimized out>) at mcopy.c:719
#20 0x000055555555877b in main (argc=<optimized out>, argv=<optimized out>) at mtools.c:170
(gdb)
```

Unrelated, but I get this with ubsan:

```
$ fallocate -l 1GiB image ; mkfs.vfat -F 16 -n ESP image ; mcopy -i image /dev/null ::/limine-bios.sys
 mkfs.fat 4.2 (2021-01-31)

 fat.c:216:36: runtime error: left shift of 1 by 63 places cannot be represented in type 'long long int'
     #0 0x56431002de2b in loadSector /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/fat.c:216
     #1 0x56431005581f in getAddress /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/fat.c:248
     #2 0x5643100565a3 in check_media_type /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/fat.c:685
     #3 0x56431005abb8 in old_fat_read /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/fat.c:759
     #4 0x56431005abb8 in fat_read /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/fat.c:785
     #5 0x564310075197 in fs_init /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/init.c:582
     #6 0x5643100d5e80 in open_root_dir /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/streamcache.c:65
     #7 0x56431007b757 in common_dos_loop /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mainloop.c:437
     #8 0x56431007d146 in dos_target_lookup /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mainloop.c:481
     #9 0x56431008a5ca in target_lookup /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mcopy.c:163
     #10 0x56431008b246 in mcopy /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mcopy.c:697
     #11 0x564310037561 in main /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mtools.c:170
     #12 0x7fcd8d84a346  (/usr/lib64/libc.so.6+0x24346)
     #13 0x7fcd8d84a408 in __libc_start_main (/usr/lib64/libc.so.6+0x24408)
     #14 0x564310037fa4  (/usr/bin/mtools+0x14fa4)

 directory.c:116:40: runtime error: left shift of negative value -10
     #0 0x558f460c9636 in mk_entry /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/directory.c:116
     #1 0x558f460ebfb6 in mk_entry_from_base /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/directory.c:142
     #2 0x558f46102682 in OpenRoot /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/file.c:768
     #3 0x558f46117757 in common_dos_loop /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mainloop.c:437
     #4 0x558f46119146 in dos_target_lookup /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mainloop.c:481
     #5 0x558f461265ca in target_lookup /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mcopy.c:163
     #6 0x558f46127246 in mcopy /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mcopy.c:697
     #7 0x558f460d3561 in main /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mtools.c:170
     #8 0x7f4be324a346  (/usr/lib64/libc.so.6+0x24346)
     #9 0x7f4be324a408 in __libc_start_main (/usr/lib64/libc.so.6+0x24408)
     #10 0x558f460d3fa4  (/usr/bin/mtools+0x14fa4)

```

Comment 1 Sam James archtester

2023-10-19 22:51:46 UTC

It looks like mtools bug reports go to the info-mtools list.

Comment 2 Arsen Arsenović gentoo-dev

2023-11-25 19:03:28 UTC

sam, did you end up forwarding the report upstream?  if not, I can either report it or fix it

Comment 3 Sam James archtester

2023-11-25 19:21:46 UTC

Iirc no

Comment 4 Arsen Arsenović gentoo-dev

2023-11-25 22:46:49 UTC

Created attachment 875665 [details, diff]
[PATCH] vfat: fix out-of-bounds write in autorename

patch sent upstream, we could include it downstream too probably.. though i didn't stress test it too hard (but usages of autorename seem to indicate this should be okay..)

Comment 5 Larry the Git Cow gentoo-dev

2024-06-03 01:05:35 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c595962e5b3a1f3df970c2ff1bce3354b7d116f

commit 3c595962e5b3a1f3df970c2ff1bce3354b7d116f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-06-03 00:50:21 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-06-03 01:04:54 +0000

    sys-fs/mtools: add 4.0.44
    
    Switch to .lz because xz-utils can unpack it these days.
    
    Closes: https://bugs.gentoo.org/916028
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-fs/mtools/Manifest             |  1 +
 sys-fs/mtools/mtools-4.0.44.ebuild | 54 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)

Comment 6 Arsen Arsenović gentoo-dev

2024-06-03 01:51:22 UTC

has the fix been verified, just to be clear?

Comment 7 Sam James archtester

2024-06-03 01:52:58 UTC

(In reply to Arsen Arsenović from comment #6)
> has the fix been verified, just to be clear?

No - I saw his response to you on the ML and just went with it. (I forgot the invocation to reproduce it and forgot I filed this bug until I was just about to push...)

Comment 8 Arsen Arsenović gentoo-dev

2024-06-03 16:36:23 UTC

ah, I missed it because the reply wasn't addressed to me.  very well