Bug 677789

Summary: fsck.vfat hangs during checking of VFAT if there are chains of orphaned clusters
Product: Red Hat Enterprise Linux 6 Reporter: Jaroslav Škarvada <jskarvad>
Component: dosfstoolsAssignee: Jaroslav Škarvada <jskarvad>
Status: CLOSED ERRATA QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.1CC: bnater, jskarvad, lkundrak, mads, rvokal
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Unspecified   
Whiteboard: abrt_hash:36d6572a6d9f88437a85ce7fefa9968eedd36a4d
Fixed In Version: dosfstools-3.0.9-4.el6 Doc Type: Bug Fix
Doc Text:
The fsck.vfat utility terminated due to buffer overflow. This occurred when checking a device with the corrupted VFAT file system if there were any chains of orphaned clusters. The name of the newly created file that contained these clusters was printed directly into the name field, which led to an out of boundary write. The name is now printed into the buffer and individual parts are then correctly copied into the appropriate field.
 Story Points: ---
Clone Of: 674095
: 745430 1031690 (view as bug list) Environment:
Last Closed: 2011-12-06 09:56:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 745430    

Description Jaroslav Škarvada 2011-02-15 20:51:20 UTC 
+++ This bug was initially created as a clone of Bug #674095 +++

abrt version: 1.1.14
architecture: i686
Attached file: backtrace
cmdline: fsck.vfat -y /dev/sdb1
component: dosfstools
crash_function: _IO_str_chk_overflow
executable: /sbin/dosfsck
kernel: 2.6.35.10-74.fc14.i686.PAE
package: dosfstools-3.0.9-4.fc14
rating: 4
reason: Process /sbin/dosfsck was killed by signal 6 (SIGABRT)
release: Fedora release 14 (Laughlin)
time: 1296489853
uid: 0

How to reproduce
-----
1. tried to fsck a broken usb flash device
2.
3.

--- Additional comment from mads on 2011-01-31 17:13:48 CET ---

Created attachment 476222 [details]
File: backtrace

--- Additional comment from jskarvad on 2011-01-31 17:47:37 CET ---

Thanks, got it from the backtrace.

--- Additional comment from jskarvad on 2011-01-31 17:50:06 CET ---

Created attachment 476231 [details]
Fix alloc_rootdir_entry buffer overflow

--- Additional comment from jskarvad on 2011-01-31 17:51:47 CET ---

Please try the following experimental build on your broken USB flash drive and report the results:
http://koji.fedoraproject.org/koji/taskinfo?taskID=2753262

--- Additional comment from mads on 2011-01-31 18:33:02 CET ---

Thanks, seems to work fine.

(But I wonder why it also found'n'fixed errors the second time I ran it. I would expect it to warn me the first time if that was likely to be necessary. Or is it common knowledge that fsck must be rerun until no failures are found?)

[root@dev-mk ~]# rpm -q dosfstools
dosfstools-3.0.9-5.fc14.i686
[root@dev-mk ~]# fsck -y /dev/sdb1 
fsck from util-linux-ng 2.18
dosfsck 3.0.9, 31 Jan 2010, FAT32, LFN
Reclaimed 7 unused clusters (114688 bytes) in 4 chains.
Performing changes.
/dev/sdb1: 739 files, 23270/62952 clusters
[root@dev-mk ~]# fsck -y /dev/sdb1 
fsck from util-linux-ng 2.18
dosfsck 3.0.9, 31 Jan 2010, FAT32, LFN
/FSCK0000.\000\000\000
  Bad file name.
  Auto-renaming it.
  Renamed to FSCK0000.000
/FSCK0001.\000\000\000
  Bad file name.
  Auto-renaming it.
  Renamed to FSCK0000.001
/FSCK0002.\000\000\000
  Bad file name.
  Auto-renaming it.
  Renamed to FSCK0000.002
/FSCK0003.\000\000\000
  Bad file name.
  Auto-renaming it.
  Renamed to FSCK0000.003
Performing changes.
/dev/sdb1: 739 files, 23270/62952 clusters
[root@dev-mk ~]# fsck -y /dev/sdb1 
fsck from util-linux-ng 2.18
dosfsck 3.0.9, 31 Jan 2010, FAT32, LFN
/dev/sdb1: 739 files, 23270/62952 clusters
[root@dev-mk ~]#

--- Additional comment from jskarvad on 2011-02-01 09:28:37 CET ---

Thanks, got it. It is another problem ;) I will push patches for both issues into update testing and I will also post it upstream. Watch this bugzilla for progress.

--- Additional comment from jskarvad on 2011-02-01 12:47:27 CET ---

Created attachment 476370 [details]
Fix alloc_rootdir_entry buffer overflow

Updated patch addressing the issue from comment 5. Before applying, the dosfstools-3.0.9-fix-reclaim-file.patch must be also dropped.

--- Additional comment from jskarvad on 2011-02-01 12:56:23 CET ---

Updated scratch build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=2754353

Patch sent upstream. Waiting for comments.

--- Additional comment from jskarvad on 2011-02-14 17:23:35 CET ---

Created attachment 478664 [details]
Reproducer

Should return 0 on PASS, 1 on FAIL.

--- Additional comment from updates on 2011-02-14 17:27:35 CET ---

dosfstools-3.0.9-5.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/dosfstools-3.0.9-5.fc14

--- Additional comment from updates on 2011-02-14 18:14:39 CET ---

dosfstools-3.0.9-4.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/dosfstools-3.0.9-4.fc13

--- Additional comment from updates on 2011-02-14 18:28:01 CET ---

dosfstools-3.0.11-3.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/dosfstools-3.0.11-3.fc15

--- Additional comment from updates on 2011-02-14 21:27:40 CET ---

dosfstools-3.0.9-5.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dosfstools'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/dosfstools-3.0.9-5.fc14
Comment 1 Jaroslav Škarvada 2011-02-15 20:52:16 UTC 
Reproducer is in attachment 478664 [details]
Comment 3 RHEL Program Management 2011-02-15 21:17:47 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 4 Jaroslav Škarvada 2011-03-11 13:08:40 UTC 
*** Bug 684181 has been marked as a duplicate of this bug. ***
Comment 6 Branislav Náter 2011-07-12 15:36:39 UTC 
Bugfix was verified on dosfstools-3.0.9-4.el6 package on all supported
architectures.

dosfsck is doesn't crash on broken fs anymore.
Comment 7 Eliska Slobodova 2011-07-18 14:50:10 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The fsck.vfat utility terminated due to buffer overflow. This occurred when checking a device with the corrupted VFAT file system if there were any chains of orphaned clusters. The name of the newly created file that contained these clusters was printed directly into the name field, which led to an out of boundary write. The name is now printed into the buffer and individual parts are then correctly copied into the appropriate field.
Comment 8 errata-xmlrpc 2011-12-06 09:56:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1552.html