Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
This bug was initially created as a copy of Bug #1533087
I am copying this bug because:
Most likely some of those issues are the same.
This time I have reproduced the problem on RHEL-8
dump-0.4-0.36.b46.el8.x86_64
Description of problem:
Using the AFL fuzzer I have discovered few files that are causing restore command to crash. Files are attached in the archive.
reproducers repr1, repr2, repr3 attached.
How reproducible:
always
Steps to Reproduce:
1. restore -y -t -f FILE
Actual results:
crashes described above
Expected results:
error reports
Additional info:
found by AFL fuzzer
(gdb) run -y -t -f repr1
Starting program: /usr/sbin/restore -y -t -f repr1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Dump date: Wed Mar 9 03:17:26 2022
Dumped from: the epoch
Level 0 dump of /tmp/tmp.IpfI8jirKF/mountpoint on ci-vm-10-0-137-130.hosted.upshift.rdu2.redhat.com:/dev/loop0
Label: none
Checksum error 244735, inode 0 file (null)
no header after volume mark!
Incorrect block for <file removal list> at 3 blocks
Missing blocks at the end of <file removal list>, assuming hole
hole in map
/usr/sbin/restore: <file removal list>: ftruncate: Invalid argument
malloc(): invalid size (unsorted)
Program received signal SIGABRT, Aborted.
0x00007ffff68f6a4f in raise () from /lib64/libc.so.6
(gdb) bt full
#0 0x00007ffff68f6a4f in raise () from /lib64/libc.so.6
No symbol table info available.
#1 0x00007ffff68c9db5 in abort () from /lib64/libc.so.6
No symbol table info available.
#2 0x00007ffff6939057 in __libc_message () from /lib64/libc.so.6
No symbol table info available.
#3 0x00007ffff69401bc in malloc_printerr () from /lib64/libc.so.6
No symbol table info available.
#4 0x00007ffff694304c in _int_malloc () from /lib64/libc.so.6
No symbol table info available.
#5 0x00007ffff69454a6 in calloc () from /lib64/libc.so.6
No symbol table info available.
#6 0x0000555555559a2d in allocinotab (seekpt=<optimized out>, ino=2) at dirs.c:897
itp = <optimized out>
itp = <optimized out>
#7 extractdirs (genmode=<optimized out>) at dirs.c:240
i = <optimized out>
ip = {di_mode = 16877, di_nlink = 3, di_u = {oldids = {0, 0}, inumber = 0}, di_size = 512, di_atime = {tv_sec = 1646813846, tv_usec = 0},
di_mtime = {tv_sec = 1646813846, tv_usec = 0}, di_ctime = {tv_sec = 1646813846, tv_usec = 0}, di_db = {44, 0 <repeats 11 times>}, di_ib = {0, 0,
0}, di_flags = 0, di_blocks = 2, di_gen = 0, di_uid = 0, di_gid = 0, di_spare = {0, 0}}
itp = <optimized out>
nulldir = {d_ino = 0, d_reclen = 12, d_type = 4 '\004', d_namlen = 1 '\001', d_name = "/", '\000' <repeats 254 times>}
fd = <optimized out>
xattr = '\000' <repeats 632 times>...
xattr_found = <optimized out>
ino = 2
#8 0x000055555555894f in main (argc=1, argv=<optimized out>) at main.c:562
ch = <optimized out>
ino = <optimized out>
inputdev = 0x7fffffffe55b "repr1"
symtbl = 0x55555556a1c1 "./restoresymtable"
p = 0x5555557b12c3 "p/"
name = '\000' <repeats 3468 times>...
filelist = 0x0
fname = "\003\000\000\000\000\000\000\000P\321\377\377\377\177\000\000\003", '\000' <repeats 15 times>, "\002\000\000\000\000\000\000\000\006\000\000\000\000\000\000\000\\'\000\000\000\000\000\000@\317\377\377\377\177\000\000pVb\366\377\177\000\000\200\357\376\367\377\177\000\000\300\341\377\367\377\177\000\000\000\000\000\000\003\000\000\000\001\375\000\000\000\000\000\000\\'\000\000\000\000\000\000\001\000\000\000\000\000\000\000\355\201", '\000' <repeats 22 times>, "\330I\002\000\000\000\000\000\000\020\000\000\000\000\000\000(\001\000\000\000\000\000\000\253Y(b\000\000\000\000\200\301\244#\000\000\000\000J#\362a", '\000' <repeats 12 times>...
orig_umask = 18
transselinuxopt = 0 '\000'
(gdb)
(gdb) run -y -t -f repr2
Starting program: /usr/sbin/restore -y -t -f repr2
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Dump date: Wed Mar 9 03:17:26 2022
Dumped from: the epoch
Level 0 dump of /tmp/tmp.IpfI8jirKF/mountpoint on ci-vm-10-0-137-130.hosted.upshift.rdu2.redhat.com:/dev/loop0
Label: none
2 .
Warning: `.' missing from directory .
Warning: `..' missing from directory .
2 ./.
Warning: `.' missing from directory ./.
Warning: `..' missing from directory ./.
2 ././.
Warning: `.' missing from directory ././.
Warning: `..' missing from directory ././.
2 ./././.
Warning: `.' missing from directory ./././.
Warning: `..' missing from directory ./././.
2 ././././.
Warning: `.' missing from directory ././././.
Warning: `..' missing from directory ././././.
2 ./././././.
Warning: `.' missing from directory ./././././.
Warning: `..' missing from directory ./././././.
2 ././././././.
Warning: `.' missing from directory ././././././.
Warning: `..' missing from directory ././././././.
2 ./././././././.
Warning: `.' missing from directory ./././././././.
Warning: `..' missing from directory ./././././././.
2 ././././././././.
...
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff690eafe in vfprintf () from /lib64/libc.so.6
(gdb) bt full
#0 0x00007ffff690eafe in vfprintf () from /lib64/libc.so.6
No symbol table info available.
#1 0x00007ffff69e4fba in __fprintf_chk () from /lib64/libc.so.6
No symbol table info available.
#2 0x000055555555d530 in fprintf (__fmt=0x55555556aa8a "%10lu\t%s\n", __stream=<optimized out>) at /usr/include/bits/stdio2.h:100
No locals.
#3 listfile (
name=0x7fffff8003d0 "././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././"..., ino=2, type=<optimized out>) at restore.c:100
descend = 1
tnum = 0
tpos = 0
#4 0x000055555555a054 in treescan (
pname=pname@entry=0x7fffff8003d0 "././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././"..., ino=<optimized out>, todo=todo@entry=0x55555555d410 <listfile>)
at dirs.c:305
itp = 0x5555557ba1d0
dp = <optimized out>
namelen = <optimized out>
bpt = <optimized out>
locname = '\000' <repeats 2072 times>...
#5 0x000055555555a243 in treescan (
pname=pname@entry=0x7fffff801430 "././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././"..., ino=<optimized out>, todo=todo@entry=0x55555555d410 <listfile>)
at dirs.c:337
itp = 0x5555557ba1d0
dp = 0x5555557badfc
namelen = 3994
bpt = 12
locname = "././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././"...
#6 0x000055555555a243 in treescan (
pname=pname@entry=0x7fffff802490 "././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././"..., ino=<optimized out>, todo=todo@entry=0x55555555d410 <listfile>)
at dirs.c:337
itp = 0x5555557ba1d0
dp = 0x5555557badfc
namelen = 3992
bpt = 12
locname = "././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././"...
etc.
(gdb) run -y -t -f repr3
Starting program: /usr/sbin/restore -y -t -f repr3
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Dump date: Wed Mar 9 03:17:26 2022
Dumped from: the epoch
Level 0 dump of /tmp/tmp.IpfI8jirKF/mountpoint on ci-vm-10-0-137-130.hosted.upshift.rdu2.redhat.com:/dev/loop0
Label: none
2 .
11 ./lost+found
Warning: `.' missing from directory ./lost+found
Warning: `..' missing from directory ./lost+found
11 ./lost+found/
Warning: `.' missing from directory ./lost+found/
Warning: `..' missing from directory ./lost+found/
11 ./lost+found//
Warning: `.' missing from directory ./lost+found//
Warning: `..' missing from directory ./lost+found//
11 ./lost+found///
Warning: `.' missing from directory ./lost+found///
Warning: `..' missing from directory ./lost+found///
11 ./lost+found////
Warning: `.' missing from directory ./lost+found////
Warning: `..' missing from directory ./lost+found////
11 ./lost+found/////
Warning: `.' missing from directory ./lost+found/////
Warning: `..' missing from directory ./lost+found/////
...
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff690eafe in vfprintf () from /lib64/libc.so.6
(gdb) bt full
#0 0x00007ffff690eafe in vfprintf () from /lib64/libc.so.6
No symbol table info available.
#1 0x00007ffff69e4fba in __fprintf_chk () from /lib64/libc.so.6
No symbol table info available.
#2 0x000055555555d530 in fprintf (__fmt=0x55555556aa8a "%10lu\t%s\n", __stream=<optimized out>) at /usr/include/bits/stdio2.h:100
No locals.
#3 listfile (name=0x7fffff8003d0 "./lost+found", '/' <repeats 188 times>..., ino=11, type=<optimized out>) at restore.c:100
descend = 1
tnum = 0
tpos = 0
#4 0x000055555555a054 in treescan (pname=pname@entry=0x7fffff8003d0 "./lost+found", '/' <repeats 188 times>..., ino=<optimized out>,
todo=todo@entry=0x55555555d410 <listfile>) at dirs.c:305
itp = 0x5555557ba200
dp = <optimized out>
namelen = <optimized out>
bpt = <optimized out>
locname = '\000' <repeats 2072 times>...
#5 0x000055555555a243 in treescan (pname=pname@entry=0x7fffff801430 "./lost+found", '/' <repeats 188 times>..., ino=<optimized out>,
todo=todo@entry=0x55555555d410 <listfile>) at dirs.c:337
itp = 0x5555557ba200
dp = 0x5555557badfc
namelen = 2008
bpt = 68
locname = "./lost+found", '/' <repeats 1996 times>...
#6 0x000055555555a243 in treescan (pname=pname@entry=0x7fffff802490 "./lost+found", '/' <repeats 188 times>..., ino=<optimized out>,
todo=todo@entry=0x55555555d410 <listfile>) at dirs.c:337
itp = 0x5555557ba200
dp = 0x5555557badfc
namelen = 2007
bpt = 68
locname = "./lost+found", '/' <repeats 1995 times>...
#7 0x000055555555a243 in treescan (pname=pname@entry=0x7fffff8034f0 "./lost+found", '/' <repeats 188 times>..., ino=<optimized out>,
todo=todo@entry=0x55555555d410 <listfile>) at dirs.c:337
itp = 0x5555557ba200
dp = 0x5555557badfc
namelen = 2006
bpt = 68
locname = "./lost+found", '/' <repeats 1994 times>...
etc.
Comment 5RHEL Program Management
2023-09-09 07:28:36 UTC
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.