Bug 2062140

Summary: restore crashes on corrupted dump file
Product: Red Hat Enterprise Linux 8 Reporter: Karel Srot <ksrot>
Component: dumpAssignee: Josef Ridky <jridky>
Status: NEW --- QA Contact: CS System Management SST QE <rhel-cs-system-management-subsystem-qe>
Severity: medium Docs Contact:
Priority: unspecified    
Version: ---   
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Karel Srot 2022-03-09 09:14:00 UTC 
This bug was initially created as a copy of Bug #1533087

I am copying this bug because: 
Most likely some of those issues are the same.
This time I have reproduced the problem on RHEL-8

dump-0.4-0.36.b46.el8.x86_64


Description of problem:

Using the AFL fuzzer I have discovered few files that are causing restore command to crash. Files are attached in the archive.

reproducers repr1, repr2, repr3 attached.

How reproducible:
always

Steps to Reproduce:
1. restore -y -t -f FILE

Actual results:
crashes described above

Expected results:
error reports

Additional info:
found by AFL fuzzer



(gdb) run -y -t -f repr1
Starting program: /usr/sbin/restore -y -t -f repr1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Dump   date: Wed Mar  9 03:17:26 2022
Dumped from: the epoch
Level 0 dump of /tmp/tmp.IpfI8jirKF/mountpoint on ci-vm-10-0-137-130.hosted.upshift.rdu2.redhat.com:/dev/loop0
Label: none
Checksum error 244735, inode 0 file (null)
no header after volume mark!
Incorrect block for <file removal list> at 3 blocks
Missing blocks at the end of <file removal list>, assuming hole
hole in map
/usr/sbin/restore: <file removal list>: ftruncate: Invalid argument
malloc(): invalid size (unsorted)

Program received signal SIGABRT, Aborted.
0x00007ffff68f6a4f in raise () from /lib64/libc.so.6
(gdb) bt full
#0  0x00007ffff68f6a4f in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007ffff68c9db5 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007ffff6939057 in __libc_message () from /lib64/libc.so.6
No symbol table info available.
#3  0x00007ffff69401bc in malloc_printerr () from /lib64/libc.so.6
No symbol table info available.
#4  0x00007ffff694304c in _int_malloc () from /lib64/libc.so.6
No symbol table info available.
#5  0x00007ffff69454a6 in calloc () from /lib64/libc.so.6
No symbol table info available.
#6  0x0000555555559a2d in allocinotab (seekpt=<optimized out>, ino=2) at dirs.c:897
        itp = <optimized out>
        itp = <optimized out>
#7  extractdirs (genmode=<optimized out>) at dirs.c:240
        i = <optimized out>
        ip = {di_mode = 16877, di_nlink = 3, di_u = {oldids = {0, 0}, inumber = 0}, di_size = 512, di_atime = {tv_sec = 1646813846, tv_usec = 0}, 
          di_mtime = {tv_sec = 1646813846, tv_usec = 0}, di_ctime = {tv_sec = 1646813846, tv_usec = 0}, di_db = {44, 0 <repeats 11 times>}, di_ib = {0, 0, 
            0}, di_flags = 0, di_blocks = 2, di_gen = 0, di_uid = 0, di_gid = 0, di_spare = {0, 0}}
        itp = <optimized out>
        nulldir = {d_ino = 0, d_reclen = 12, d_type = 4 '\004', d_namlen = 1 '\001', d_name = "/", '\000' <repeats 254 times>}
        fd = <optimized out>
        xattr = '\000' <repeats 632 times>...
        xattr_found = <optimized out>
        ino = 2
#8  0x000055555555894f in main (argc=1, argv=<optimized out>) at main.c:562
        ch = <optimized out>
        ino = <optimized out>
        inputdev = 0x7fffffffe55b "repr1"
        symtbl = 0x55555556a1c1 "./restoresymtable"
        p = 0x5555557b12c3 "p/"
        name = '\000' <repeats 3468 times>...
        filelist = 0x0
        fname = "\003\000\000\000\000\000\000\000P\321\377\377\377\177\000\000\003", '\000' <repeats 15 times>, "\002\000\000\000\000\000\000\000\006\000\000\000\000\000\000\000\\'\000\000\000\000\000\000@\317\377\377\377\177\000\000pVb\366\377\177\000\000\200\357\376\367\377\177\000\000\300\341\377\367\377\177\000\000\000\000\000\000\003\000\000\000\001\375\000\000\000\000\000\000\\'\000\000\000\000\000\000\001\000\000\000\000\000\000\000\355\201", '\000' <repeats 22 times>, "\330I\002\000\000\000\000\000\000\020\000\000\000\000\000\000(\001\000\000\000\000\000\000\253Y(b\000\000\000\000\200\301\244#\000\000\000\000J#\362a", '\000' <repeats 12 times>...
        orig_umask = 18
        transselinuxopt = 0 '\000'
(gdb) 


(gdb) run -y -t -f repr2
Starting program: /usr/sbin/restore -y -t -f repr2
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Dump   date: Wed Mar  9 03:17:26 2022
Dumped from: the epoch
Level 0 dump of /tmp/tmp.IpfI8jirKF/mountpoint on ci-vm-10-0-137-130.hosted.upshift.rdu2.redhat.com:/dev/loop0
Label: none
         2	.
Warning: `.' missing from directory .
Warning: `..' missing from directory .
         2	./.
Warning: `.' missing from directory ./.
Warning: `..' missing from directory ./.
         2	././.
Warning: `.' missing from directory ././.
Warning: `..' missing from directory ././.
         2	./././.
Warning: `.' missing from directory ./././.
Warning: `..' missing from directory ./././.
         2	././././.
Warning: `.' missing from directory ././././.
Warning: `..' missing from directory ././././.
         2	./././././.
Warning: `.' missing from directory ./././././.
Warning: `..' missing from directory ./././././.
         2	././././././.
Warning: `.' missing from directory ././././././.
Warning: `..' missing from directory ././././././.
         2	./././././././.
Warning: `.' missing from directory ./././././././.
Warning: `..' missing from directory ./././././././.
         2	././././././././.
...

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff690eafe in vfprintf () from /lib64/libc.so.6
(gdb) bt full
#0  0x00007ffff690eafe in vfprintf () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007ffff69e4fba in __fprintf_chk () from /lib64/libc.so.6
No symbol table info available.
#2  0x000055555555d530 in fprintf (__fmt=0x55555556aa8a "%10lu\t%s\n", __stream=<optimized out>) at /usr/include/bits/stdio2.h:100
No locals.
#3  listfile (
    name=0x7fffff8003d0 "././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././"..., ino=2, type=<optimized out>) at restore.c:100
        descend = 1
        tnum = 0
        tpos = 0
#4  0x000055555555a054 in treescan (
    pname=pname@entry=0x7fffff8003d0 "././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././"..., ino=<optimized out>, todo=todo@entry=0x55555555d410 <listfile>)
    at dirs.c:305
        itp = 0x5555557ba1d0
        dp = <optimized out>
        namelen = <optimized out>
        bpt = <optimized out>
        locname = '\000' <repeats 2072 times>...
#5  0x000055555555a243 in treescan (
    pname=pname@entry=0x7fffff801430 "././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././"..., ino=<optimized out>, todo=todo@entry=0x55555555d410 <listfile>)
    at dirs.c:337
        itp = 0x5555557ba1d0
        dp = 0x5555557badfc
        namelen = 3994
        bpt = 12
        locname = "././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././"...
#6  0x000055555555a243 in treescan (
    pname=pname@entry=0x7fffff802490 "././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././"..., ino=<optimized out>, todo=todo@entry=0x55555555d410 <listfile>)
    at dirs.c:337
        itp = 0x5555557ba1d0
        dp = 0x5555557badfc
        namelen = 3992
        bpt = 12
        locname = "././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././"...

etc.


(gdb) run -y -t -f repr3
Starting program: /usr/sbin/restore -y -t -f repr3
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Dump   date: Wed Mar  9 03:17:26 2022
Dumped from: the epoch
Level 0 dump of /tmp/tmp.IpfI8jirKF/mountpoint on ci-vm-10-0-137-130.hosted.upshift.rdu2.redhat.com:/dev/loop0
Label: none
         2	.
        11	./lost+found
Warning: `.' missing from directory ./lost+found
Warning: `..' missing from directory ./lost+found
        11	./lost+found/
Warning: `.' missing from directory ./lost+found/
Warning: `..' missing from directory ./lost+found/
        11	./lost+found//
Warning: `.' missing from directory ./lost+found//
Warning: `..' missing from directory ./lost+found//
        11	./lost+found///
Warning: `.' missing from directory ./lost+found///
Warning: `..' missing from directory ./lost+found///
        11	./lost+found////
Warning: `.' missing from directory ./lost+found////
Warning: `..' missing from directory ./lost+found////
        11	./lost+found/////
Warning: `.' missing from directory ./lost+found/////
Warning: `..' missing from directory ./lost+found/////
...

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff690eafe in vfprintf () from /lib64/libc.so.6
(gdb) bt full
#0  0x00007ffff690eafe in vfprintf () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007ffff69e4fba in __fprintf_chk () from /lib64/libc.so.6
No symbol table info available.
#2  0x000055555555d530 in fprintf (__fmt=0x55555556aa8a "%10lu\t%s\n", __stream=<optimized out>) at /usr/include/bits/stdio2.h:100
No locals.
#3  listfile (name=0x7fffff8003d0 "./lost+found", '/' <repeats 188 times>..., ino=11, type=<optimized out>) at restore.c:100
        descend = 1
        tnum = 0
        tpos = 0
#4  0x000055555555a054 in treescan (pname=pname@entry=0x7fffff8003d0 "./lost+found", '/' <repeats 188 times>..., ino=<optimized out>, 
    todo=todo@entry=0x55555555d410 <listfile>) at dirs.c:305
        itp = 0x5555557ba200
        dp = <optimized out>
        namelen = <optimized out>
        bpt = <optimized out>
        locname = '\000' <repeats 2072 times>...
#5  0x000055555555a243 in treescan (pname=pname@entry=0x7fffff801430 "./lost+found", '/' <repeats 188 times>..., ino=<optimized out>, 
    todo=todo@entry=0x55555555d410 <listfile>) at dirs.c:337
        itp = 0x5555557ba200
        dp = 0x5555557badfc
        namelen = 2008
        bpt = 68
        locname = "./lost+found", '/' <repeats 1996 times>...
#6  0x000055555555a243 in treescan (pname=pname@entry=0x7fffff802490 "./lost+found", '/' <repeats 188 times>..., ino=<optimized out>, 
    todo=todo@entry=0x55555555d410 <listfile>) at dirs.c:337
        itp = 0x5555557ba200
        dp = 0x5555557badfc
        namelen = 2007
        bpt = 68
        locname = "./lost+found", '/' <repeats 1995 times>...
#7  0x000055555555a243 in treescan (pname=pname@entry=0x7fffff8034f0 "./lost+found", '/' <repeats 188 times>..., ino=<optimized out>, 
    todo=todo@entry=0x55555555d410 <listfile>) at dirs.c:337
        itp = 0x5555557ba200
        dp = 0x5555557badfc
        namelen = 2006
        bpt = 68
        locname = "./lost+found", '/' <repeats 1994 times>...

etc.