Bug 1532271

Summary:	[xfs_db] unexpected print argument crash xfs_db
Product:	Red Hat Enterprise Linux 7	Reporter:	JianHong Yin <jiyin>
Component:	xfsprogs	Assignee:	Eric Sandeen <esandeen>
Status:	CLOSED ERRATA	QA Contact:	Zorro Lang <zlang>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.4	CC:	esandeen, xzhou, zlang
Target Milestone:	rc	Keywords:	Patch, Reproducer
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	xfsprogs-4.5.0-16.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-10-30 11:38:11 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description JianHong Yin 2018-01-08 14:36:48 UTC

Description of problem:

unexpected print argument crash xfs_db

Version-Release number of selected component (if applicable):
xfsprogs-4.5.0-12.el7.x86_64

How reproducible:
always

Steps to Reproduce:
0. ls -li afile
1. xfs_db -r -c "inode $inodeNumber" -c 'p core.*' /dev/mapper/$devfile

Actual results:
[root@test ~]# rpm -q xfsprogs
xfsprogs-4.5.0-12.el7.x86_64
[root@test ~]# ls -li
total 48
100663382 -rw-------. 1 root root 17344 Jan  8 09:15 anaconda-ks.cfg
100663363 -rw-r--r--. 1 root root     4 Jan  8 09:14 NETBOOT_METHOD.TXT
100663381 -rw-------. 1 root root 16911 Jan  8 09:15 original-ks.cfg
100663362 -rw-r--r--. 1 root root     8 Jan  8 09:14 RECIPE.TXT
[root@test ~]# xfs_db -r -c "inode 16911" -c 'p core.*' /dev/mapper/rhel_hp--dl320egen8--01-home
Metadata corruption detected at xfs_inode block 0x4200/0x2000
Metadata corruption detected at xfs_inode block 0x4200/0x2000
Metadata corruption detected at xfs_inode block 0x4200/0x2000
Metadata corruption detected at xfs_inode block 0x4200/0x2000
Metadata corruption detected at xfs_inode block 0x4200/0x2000
Metadata corruption detected at xfs_inode block 0x4200/0x2000
Metadata corruption detected at xfs_inode block 0x4200/0x2000
Metadata corruption detected at xfs_inode block 0x4200/0x2000
Metadata corruption detected at xfs_inode block 0x4200/0x2000
Metadata corruption detected at xfs_inode block 0x4200/0x2000
Metadata corruption detected at xfs_inode block 0x4200/0x2000
Metadata corruption detected at xfs_inode block 0x4200/0x2000
Metadata corruption detected at xfs_inode block 0x4200/0x2000
Metadata corruption detected at xfs_inode block 0x4200/0x2000
Metadata corruption detected at xfs_inode block 0x4200/0x2000
Metadata corruption detected at xfs_inode block 0x4200/0x2000
Metadata CRC error detected for ino 16911
bad character in field *
*** Error in `xfs_db': free(): invalid pointer: 0x00007f4be862a7b8 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7c619)[0x7f4be82ea619]
xfs_db[0x4139d1]
xfs_db[0x4144b6]
xfs_db[0x41f2aa]
xfs_db[0x41ee76]
xfs_db[0x405180]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f4be828fc05]
xfs_db[0x4052d6]
======= Memory map: ========
00400000-0048a000 r-xp 00000000 fd:00 34351826                           /usr/sbin/xfs_db
00689000-0068a000 r--p 00089000 fd:00 34351826                           /usr/sbin/xfs_db
0068a000-0068d000 rw-p 0008a000 fd:00 34351826                           /usr/sbin/xfs_db
0068d000-0069c000 rw-p 00000000 00:00 0
00856000-00877000 rw-p 00000000 00:00 0                                  [heap]
7f4bdc000000-7f4bdc021000 rw-p 00000000 00:00 0
7f4bdc021000-7f4be0000000 ---p 00000000 00:00 0
7f4be1905000-7f4be191a000 r-xp 00000000 fd:00 33554518                   /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f4be191a000-7f4be1b19000 ---p 00015000 fd:00 33554518                   /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f4be1b19000-7f4be1b1a000 r--p 00014000 fd:00 33554518                   /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f4be1b1a000-7f4be1b1b000 rw-p 00015000 fd:00 33554518                   /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f4be1b1b000-7f4be8044000 r--p 00000000 fd:00 27412                      /usr/lib/locale/locale-archive
7f4be8044000-7f4be8069000 r-xp 00000000 fd:00 33641827                   /usr/lib64/libtinfo.so.5.9
7f4be8069000-7f4be8269000 ---p 00025000 fd:00 33641827                   /usr/lib64/libtinfo.so.5.9
7f4be8269000-7f4be826d000 r--p 00025000 fd:00 33641827                   /usr/lib64/libtinfo.so.5.9
7f4be826d000-7f4be826e000 rw-p 00029000 fd:00 33641827                   /usr/lib64/libtinfo.so.5.9
7f4be826e000-7f4be8426000 r-xp 00000000 fd:00 33641471                   /usr/lib64/libc-2.17.so
7f4be8426000-7f4be8626000 ---p 001b8000 fd:00 33641471                   /usr/lib64/libc-2.17.so
7f4be8626000-7f4be862a000 r--p 001b8000 fd:00 33641471                   /usr/lib64/libc-2.17.so
7f4be862a000-7f4be862c000 rw-p 001bc000 fd:00 33641471                   /usr/lib64/libc-2.17.so
7f4be862c000-7f4be8631000 rw-p 00000000 00:00 0
7f4be8631000-7f4be866d000 r-xp 00000000 fd:00 33655376                   /usr/lib64/libreadline.so.6.2
7f4be866d000-7f4be886d000 ---p 0003c000 fd:00 33655376                   /usr/lib64/libreadline.so.6.2
7f4be886d000-7f4be886f000 r--p 0003c000 fd:00 33655376                   /usr/lib64/libreadline.so.6.2
7f4be886f000-7f4be8875000 rw-p 0003e000 fd:00 33655376                   /usr/lib64/libreadline.so.6.2
7f4be8875000-7f4be8877000 rw-p 00000000 00:00 0
7f4be8877000-7f4be888e000 r-xp 00000000 fd:00 33641497                   /usr/lib64/libpthread-2.17.so
7f4be888e000-7f4be8a8d000 ---p 00017000 fd:00 33641497                   /usr/lib64/libpthread-2.17.so
7f4be8a8d000-7f4be8a8e000 r--p 00016000 fd:00 33641497                   /usr/lib64/libpthread-2.17.so
7f4be8a8e000-7f4be8a8f000 rw-p 00017000 fd:00 33641497                   /usr/lib64/libpthread-2.17.so
7f4be8a8f000-7f4be8a93000 rw-p 00000000 00:00 0
7f4be8a93000-7f4be8a9a000 r-xp 00000000 fd:00 33641501                   /usr/lib64/librt-2.17.so
7f4be8a9a000-7f4be8c99000 ---p 00007000 fd:00 33641501                   /usr/lib64/librt-2.17.so
7f4be8c99000-7f4be8c9a000 r--p 00006000 fd:00 33641501                   /usr/lib64/librt-2.17.so
7f4be8c9a000-7f4be8c9b000 rw-p 00007000 fd:00 33641501                   /usr/lib64/librt-2.17.so
7f4be8c9b000-7f4be8c9f000 r-xp 00000000 fd:00 33655275                   /usr/lib64/libuuid.so.1.3.0
7f4be8c9f000-7f4be8e9e000 ---p 00004000 fd:00 33655275                   /usr/lib64/libuuid.so.1.3.0
7f4be8e9e000-7f4be8e9f000 r--p 00003000 fd:00 33655275                   /usr/lib64/libuuid.so.1.3.0
7f4be8e9f000-7f4be8ea0000 rw-p 00004000 fd:00 33655275                   /usr/lib64/libuuid.so.1.3.0
7f4be8ea0000-7f4be8ec1000 r-xp 00000000 fd:00 33641464                   /usr/lib64/ld-2.17.so
7f4be90b1000-7f4be90b6000 rw-p 00000000 00:00 0
7f4be90be000-7f4be90c1000 rw-p 00000000 00:00 0
7f4be90c1000-7f4be90c2000 r--p 00021000 fd:00 33641464                   /usr/lib64/ld-2.17.so
7f4be90c2000-7f4be90c3000 rw-p 00022000 fd:00 33641464                   /usr/lib64/ld-2.17.so
7f4be90c3000-7f4be90c4000 rw-p 00000000 00:00 0
7ffc636f9000-7ffc6371a000 rw-p 00000000 00:00 0                          [stack]
7ffc637f5000-7ffc637f7000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted


Expected results:
no crash

Additional info:

Comment 2 Zorro Lang 2018-01-09 04:32:34 UTC

By reading the xfsprogs code, I feel this's a bug due to flist_split() doesn't add a NULL as a tail of flist_t, when it finds "a bad character in field *" and call ftok_free(v) directly:
---
        while (*s) {
                ...
                ...

                } else {
                        dbprintf(_("bad character in field %s\n"), s);
--->                    ftok_free(v);
                        return NULL;
                }
                ...
                ...

        }
        v[nv].tok = NULL;
        v[nv].tokty = TT_END;
        return v;
---


ftok_free() does:
---
       for (p = ft; p->tok; p++)
                xfree(p->tok);
---

It trys to find p->tok == NULL, but it can't due to flist_split() forgot to set that. So it will out of bounds and try to free illegal memory address.

Thanks,
Zorro

Comment 3 Eric Sandeen 2018-01-09 15:40:40 UTC

This is probably fixed by:

commit 945e47e2fcc5d1cec693122286da06d8ab829c52
Author: Darrick J. Wong <darrick.wong>
Date:   Thu Jan 4 13:58:29 2018 -0600

    xfs_db: fix crash when field list selector string has trailing slash

Comment 4 JianHong Yin 2018-01-10 00:32:20 UTC

JFYI:

same result if use latest xfsprogs-4.14.0

[root@bkr-hv03-guest32 xfsprogs-4.14.0]# ./db/xfs_db -r ~/xfsprogs-4.14.0/xfs.image -c inode\ 67  -c p\ core.*
bad character in field *
*** Error in `./db/xfs_db': free(): invalid pointer: 0x00007fc2a5d597b8 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x81309)[0x7fc2a5a14309]
./db/xfs_db[0x413fa1]
./db/xfs_db[0x414a76]
./db/xfs_db[0x42012a]
./db/xfs_db[0x41fcf6]
./db/xfs_db[0x404d90]
/lib64/libc.so.6(__libc_start_main+0xf7)[0x7fc2a59b5377]
./db/xfs_db[0x404ed6]
======= Memory map: ========
00400000-0049c000 r-xp 00000000 fd:00 56258003                           /root/xfsprogs-4.14.0/db/xfs_db
0069b000-0069c000 r--p 0009b000 fd:00 56258003                           /root/xfsprogs-4.14.0/db/xfs_db
0069c000-006a1000 rw-p 0009c000 fd:00 56258003                           /root/xfsprogs-4.14.0/db/xfs_db
006a1000-006b0000 rw-p 00000000 00:00 0
01622000-01643000 rw-p 00000000 00:00 0                                  [heap]
7fc298000000-7fc298021000 rw-p 00000000 00:00 0
7fc298021000-7fc29c000000 ---p 00000000 00:00 0
7fc29f254000-7fc29f269000 r-xp 00000000 fd:00 94                         /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fc29f269000-7fc29f468000 ---p 00015000 fd:00 94                         /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fc29f468000-7fc29f469000 r--p 00014000 fd:00 94                         /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fc29f469000-7fc29f46a000 rw-p 00015000 fd:00 94                         /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fc29f46a000-7fc2a5993000 r--p 00000000 fd:00 16827493                   /usr/lib/locale/locale-archive
7fc2a5993000-7fc2a5b56000 r-xp 00000000 fd:00 87137                      /usr/lib64/libc-2.17.so
7fc2a5b56000-7fc2a5d55000 ---p 001c3000 fd:00 87137                      /usr/lib64/libc-2.17.so
7fc2a5d55000-7fc2a5d59000 r--p 001c2000 fd:00 87137                      /usr/lib64/libc-2.17.so
7fc2a5d59000-7fc2a5d5b000 rw-p 001c6000 fd:00 87137                      /usr/lib64/libc-2.17.so
7fc2a5d5b000-7fc2a5d60000 rw-p 00000000 00:00 0
7fc2a5d60000-7fc2a5d77000 r-xp 00000000 fd:00 87163                      /usr/lib64/libpthread-2.17.so
7fc2a5d77000-7fc2a5f76000 ---p 00017000 fd:00 87163                      /usr/lib64/libpthread-2.17.so
7fc2a5f76000-7fc2a5f77000 r--p 00016000 fd:00 87163                      /usr/lib64/libpthread-2.17.so
7fc2a5f77000-7fc2a5f78000 rw-p 00017000 fd:00 87163                      /usr/lib64/libpthread-2.17.so
7fc2a5f78000-7fc2a5f7c000 rw-p 00000000 00:00 0
7fc2a5f7c000-7fc2a5f83000 r-xp 00000000 fd:00 87167                      /usr/lib64/librt-2.17.so
7fc2a5f83000-7fc2a6182000 ---p 00007000 fd:00 87167                      /usr/lib64/librt-2.17.so
7fc2a6182000-7fc2a6183000 r--p 00006000 fd:00 87167                      /usr/lib64/librt-2.17.so
7fc2a6183000-7fc2a6184000 rw-p 00007000 fd:00 87167                      /usr/lib64/librt-2.17.so
7fc2a6184000-7fc2a6188000 r-xp 00000000 fd:00 92749                      /usr/lib64/libuuid.so.1.3.0
7fc2a6188000-7fc2a6387000 ---p 00004000 fd:00 92749                      /usr/lib64/libuuid.so.1.3.0
7fc2a6387000-7fc2a6388000 r--p 00003000 fd:00 92749                      /usr/lib64/libuuid.so.1.3.0
7fc2a6388000-7fc2a6389000 rw-p 00004000 fd:00 92749                      /usr/lib64/libuuid.so.1.3.0
7fc2a6389000-7fc2a63ab000 r-xp 00000000 fd:00 87130                      /usr/lib64/ld-2.17.so
7fc2a659b000-7fc2a659f000 rw-p 00000000 00:00 0
7fc2a65a7000-7fc2a65aa000 rw-p 00000000 00:00 0
7fc2a65aa000-7fc2a65ab000 r--p 00021000 fd:00 87130                      /usr/lib64/ld-2.17.so
7fc2a65ab000-7fc2a65ac000 rw-p 00022000 fd:00 87130                      /usr/lib64/ld-2.17.so
7fc2a65ac000-7fc2a65ad000 rw-p 00000000 00:00 0
7ffe0e916000-7ffe0e937000 rw-p 00000000 00:00 0                          [stack]
7ffe0e941000-7ffe0e944000 r--p 00000000 00:00 0                          [vvar]
7ffe0e944000-7ffe0e946000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

Comment 5 JianHong Yin 2018-01-10 00:53:36 UTC

Update:

latest https://github.com/djwong/xfsprogs works fine:

[root@bkr-hv03-guest32 xfsprogs]# ./db/xfs_db -r ~/xfs.image -c inode\ 67  -c p\ core.*
bad character in field *

Comment 14 errata-xmlrpc 2018-10-30 11:38:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3274