Bug 660154 - fsck.vfat buffer overflow
Summary: fsck.vfat buffer overflow
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: dosfstools
Version: 13
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Jaroslav Škarvada
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-05 22:07 UTC by davidgf
Modified: 2011-06-28 10:09 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2011-06-28 10:09:32 UTC


Attachments (Terms of Use)
Core dump (97.73 KB, application/x-bzip2)
2010-12-05 22:09 UTC, davidgf
no flags Details

Description davidgf 2010-12-05 22:07:51 UTC
Description of problem:
When repairing a partition I get a buffer overflow. This is the output:


dosfsck 3.0.9, 31 Jan 2010, FAT32, LFN
FATs differ but appear to be intact. Using first FAT.
*** buffer overflow detected ***: fsck.vfat terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4d)[0x79bfdd]
/lib/libc.so.6[0x79a00a]
/lib/libc.so.6[0x799738]
/lib/libc.so.6(_IO_default_xsputn+0x13c)[0x71159c]
/lib/libc.so.6(_IO_vfprintf+0xfbf)[0x6e435f]
/lib/libc.so.6(__vsprintf_chk+0xa7)[0x7997e7]
/lib/libc.so.6(__sprintf_chk+0x2d)[0x79972d]
fsck.vfat[0x804d2a1]
fsck.vfat[0x804e699]
fsck.vfat[0x8049158]
/lib/libc.so.6(__libc_start_main+0xe6)[0x6bacc6]
fsck.vfat[0x8048ba1]
======= Memory map: ========
0052c000-0052d000 r-xp 00000000 00:00 0          [vdso]
00682000-006a0000 r-xp 00000000 08:02 6402       /lib/ld-2.12.1.so
006a0000-006a1000 r--p 0001d000 08:02 6402       /lib/ld-2.12.1.so
006a1000-006a2000 rw-p 0001e000 08:02 6402       /lib/ld-2.12.1.so
006a4000-00829000 r-xp 00000000 08:02 7448       /lib/libc-2.12.1.so
00829000-0082a000 ---p 00185000 08:02 7448       /lib/libc-2.12.1.so
0082a000-0082c000 r--p 00185000 08:02 7448       /lib/libc-2.12.1.so
0082c000-0082d000 rw-p 00187000 08:02 7448       /lib/libc-2.12.1.so
0082d000-00830000 rw-p 00000000 00:00 0 
00d09000-00d26000 r-xp 00000000 08:02 8756       /lib/libgcc_s-4.4.5-20101113.so.1
00d26000-00d27000 rw-p 0001d000 08:02 8756       /lib/libgcc_s-4.4.5-20101113.so.1
08047000-08055000 r-xp 00000000 08:02 11191      /sbin/dosfsck
08055000-08056000 rw-p 0000d000 08:02 11191      /sbin/dosfsck
08056000-08058000 rw-p 00000000 00:00 0 
08f94000-08fef000 rw-p 00000000 00:00 0          [heap]
b783f000-b78b6000 rw-p 00000000 00:00 0 
b78d2000-b78d4000 rw-p 00000000 00:00 0 
bffa0000-bffc1000 rw-p 00000000 00:00 0          [stack]
Abortado (`core' generado)

Version-Release number of selected component (if applicable):
dosfsck 3.0.9



Also submit the coredump. I'll copy my damaged partition (SD card) if you need I can upload it (it's about 2GB).

Thank you!

Comment 1 davidgf 2010-12-05 22:09:28 UTC
Created attachment 464893 [details]
Core dump

Comment 2 Jaroslav Škarvada 2010-12-10 13:48:33 UTC
Thanks for info. May be I got it from the core dump, please check the following experimental build and let me know if it fixes the problem:

http://koji.fedoraproject.org/koji/taskinfo?taskID=2656763

Comment 3 davidgf 2010-12-18 13:47:47 UTC
I'm sorry. The SD card wasn't mine so I had to return it.
And I wanted to copy it to my HDD before formating it, but when tried to copy it using dd it just copied 15MB.
As far as I know the card was damaged (badblocks?) because after formatting it I wasn't able to copy it again. And some file transfers failed.
I guess maybe you don't check all the read/write syscalls when they return error? Maybe a -1 return value is treated as read/write byte count and therefore produces an buffer overflow? I'm pretty sure the underlying bug was in the SD card or in the reader driver (it's a crap).

I can't do anything more by now. Maybe I can get the card back again in some days to test it properly.

Thank you a lot!

Comment 4 Jaroslav Škarvada 2010-12-20 08:42:28 UTC
No problem, thanks for info. From the backtrace it seems it overflows when reclaiming more than 9 files because the resulting filename is too long and does not fit into 8 chars filename buffer. The filesystem must be probably heavily damaged for this condition to occure. I am going to post the patch upstream and also I am going to push the fix through bodhi. Maybe there are more problems but this one is obvious.

Comment 5 davidgf 2010-12-20 14:01:04 UTC
Glad it helped to fix a bug! I don't really know if the filesystem was really damaged. I could mount it without a problem and list all the files and also I did backup them. There were some file that couldn't be copied because when I tried to copy them the filesystem was unmounted and mounted again. I don't know if it's mount's fault or gnome's, but it happened. As I said maybe the kernel was reading random data from damaged card blocks... No idea...

Thank you for your great job!

Comment 6 Fedora Update System 2011-01-07 13:37:29 UTC
dosfstools-3.0.9-4.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/dosfstools-3.0.9-4.fc14

Comment 7 Fedora Update System 2011-01-07 13:39:31 UTC
dosfstools-3.0.9-3.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/dosfstools-3.0.9-3.fc13

Comment 8 Fedora Update System 2011-01-07 20:01:59 UTC
dosfstools-3.0.9-3.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dosfstools'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/dosfstools-3.0.9-3.fc13

Comment 9 Jaroslav Škarvada 2011-01-10 10:50:50 UTC
Patch was accepted upstream and will be probably part of dosfstool-3.0.12.

Comment 10 Fedora Update System 2011-01-18 21:35:57 UTC
dosfstools-3.0.9-4.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2011-02-14 17:14:44 UTC
dosfstools-3.0.9-4.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/dosfstools-3.0.9-4.fc13

Comment 12 Fedora Update System 2011-04-05 12:09:49 UTC
dosfstools-3.0.9-5.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/dosfstools-3.0.9-5.fc13

Comment 13 Bug Zapper 2011-05-30 13:04:32 UTC
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 14 Bug Zapper 2011-06-28 10:09:32 UTC
Fedora 13 changed to end-of-life (EOL) status on 2011-06-25. Fedora 13 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.