Reported by Arsen, filing so we don't forget about it... Needs -O3. Happens with _F_S=3. ``` $ fallocate -l 1GiB image ; mkfs.vfat -F 16 -n ESP image ; mcopy -i image /dev/null ::/limine-bios.sys mkfs.fat 4.2 (2021-01-31) *** buffer overflow detected ***: terminated Aborted (core dumped) ``` Under gdb: ``` Program received signal SIGABRT, Aborted. 0x00007ffff7e4a31c in ?? () from /usr/lib64/libc.so.6 (gdb) bt #0 0x00007ffff7e4a31c in ?? () from /usr/lib64/libc.so.6 #1 0x00007ffff7df10d6 in raise () from /usr/lib64/libc.so.6 #2 0x00007ffff7dd88ce in abort () from /usr/lib64/libc.so.6 #3 0x00007ffff7dd9969 in ?? () from /usr/lib64/libc.so.6 #4 0x00007ffff7ed222b in __fortify_fail () from /usr/lib64/libc.so.6 #5 0x00007ffff7ed1b96 in __chk_fail () from /usr/lib64/libc.so.6 #6 0x00007ffff7e34ee1 in ?? () from /usr/lib64/libc.so.6 #7 0x00007ffff7ed33db in __sprintf_chk () from /usr/lib64/libc.so.6 #8 0x000055555557b5f8 in sprintf (__fmt=0x555555582eaf "%c%d", __s=<optimized out>) at /usr/include/bits/stdio2.h:30 #9 autorename (tilda=126 '~', dot=32 ' ', limit=8, bump=0, illegals=<optimized out>, name=0x7fffffffc614 "LIMINE~1SYS") at vfat.c:130 #10 autorename_short (name=name@entry=0x7fffffffc614, bump=bump@entry=0) at vfat.c:142 #11 0x000055555556326a in dos_name (toDos=0x5555555ac1c0, name=0x7fffffffca70 "limine-bios.sys", verbose=<optimized out>, mangled=0x7fffffffc5ec, dn=0x7fffffffc614) at file_name.c:134 #12 0x0000555555570f60 in convert_to_shortname (dn=0x7fffffffc614, un=0x7fffffffca70 "limine-bios.sys", ch=0x7fffffffd6e0, cp=0x5555555ac1c0) at mk_direntry.c:46 #13 _mwrite_one (Dir=Dir@entry=0x5555555aca00, argname=<optimized out>, argname@entry=0x5555555ace30 "limine-bios.sys", shortname=<optimized out>, shortname@entry=0x0, cb=cb@entry=0x5555555688c0 <writeit>, arg=arg@entry=0x7fffffffd1a0, ch=ch@entry=0x7fffffffd6e0) at mk_direntry.c:588 #14 0x0000555555572416 in mwrite_one (Dir=0x5555555aca00, _argname=<optimized out>, _shortname=_shortname@entry=0x0, cb=cb@entry=0x5555555688c0 <writeit>, arg=arg@entry=0x7fffffffd1a0, ch=ch@entry=0x7fffffffd6e0) at mk_direntry.c:665 #15 0x000055555556957e in dos_write (needfilter=1, mp=0x7fffffffd1d0, entry=0x0) at mcopy.c:464 #16 unix_to_dos (mp=0x7fffffffd1d0) at mcopy.c:569 #17 0x00005555555669c4 in unix_loop (Stream=Stream@entry=0x0, mp=mp@entry=0x7fffffffd1d0, arg=0x7fffffffdce1 "/dev/null", follow_dir_link=follow_dir_link@entry=1) at mainloop.c:151 #18 0x0000555555566d6a in main_loop (mp=mp@entry=0x7fffffffd1d0, argv=0x7fffffffd8f0, argc=argc@entry=1) at mainloop.c:535 #19 0x0000555555569d62 in mcopy (argc=<optimized out>, argv=0x7fffffffd8d8, mtype=<optimized out>) at mcopy.c:719 #20 0x000055555555877b in main (argc=<optimized out>, argv=<optimized out>) at mtools.c:170 (gdb) ``` Unrelated, but I get this with ubsan: ``` $ fallocate -l 1GiB image ; mkfs.vfat -F 16 -n ESP image ; mcopy -i image /dev/null ::/limine-bios.sys mkfs.fat 4.2 (2021-01-31) fat.c:216:36: runtime error: left shift of 1 by 63 places cannot be represented in type 'long long int' #0 0x56431002de2b in loadSector /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/fat.c:216 #1 0x56431005581f in getAddress /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/fat.c:248 #2 0x5643100565a3 in check_media_type /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/fat.c:685 #3 0x56431005abb8 in old_fat_read /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/fat.c:759 #4 0x56431005abb8 in fat_read /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/fat.c:785 #5 0x564310075197 in fs_init /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/init.c:582 #6 0x5643100d5e80 in open_root_dir /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/streamcache.c:65 #7 0x56431007b757 in common_dos_loop /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mainloop.c:437 #8 0x56431007d146 in dos_target_lookup /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mainloop.c:481 #9 0x56431008a5ca in target_lookup /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mcopy.c:163 #10 0x56431008b246 in mcopy /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mcopy.c:697 #11 0x564310037561 in main /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mtools.c:170 #12 0x7fcd8d84a346 (/usr/lib64/libc.so.6+0x24346) #13 0x7fcd8d84a408 in __libc_start_main (/usr/lib64/libc.so.6+0x24408) #14 0x564310037fa4 (/usr/bin/mtools+0x14fa4) directory.c:116:40: runtime error: left shift of negative value -10 #0 0x558f460c9636 in mk_entry /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/directory.c:116 #1 0x558f460ebfb6 in mk_entry_from_base /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/directory.c:142 #2 0x558f46102682 in OpenRoot /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/file.c:768 #3 0x558f46117757 in common_dos_loop /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mainloop.c:437 #4 0x558f46119146 in dos_target_lookup /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mainloop.c:481 #5 0x558f461265ca in target_lookup /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mcopy.c:163 #6 0x558f46127246 in mcopy /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mcopy.c:697 #7 0x558f460d3561 in main /usr/src/debug/sys-fs/mtools-4.0.43/mtools-4.0.43/mtools.c:170 #8 0x7f4be324a346 (/usr/lib64/libc.so.6+0x24346) #9 0x7f4be324a408 in __libc_start_main (/usr/lib64/libc.so.6+0x24408) #10 0x558f460d3fa4 (/usr/bin/mtools+0x14fa4) ```
It looks like mtools bug reports go to the info-mtools list.
sam, did you end up forwarding the report upstream? if not, I can either report it or fix it
Iirc no
Created attachment 875665 [details, diff] [PATCH] vfat: fix out-of-bounds write in autorename patch sent upstream, we could include it downstream too probably.. though i didn't stress test it too hard (but usages of autorename seem to indicate this should be okay..)
