It seems I've reproduced the crash by running the following command on an
unmounted ext4 partition:
sudo ./extundelete --restore-directory /home /dev/sdb1
After recompilation of the program under clang address sanitizer:
make CC=clang CXX=clang++ CFLAGS="-O1 -g -fsanitize=address
-fno-omit-frame-pointer" CXXFLAGS="-O1 -g -fsanitize=address
-fno-omit-frame-pointer"
the sanitizer gave the following results:
----------------------------- start of stdout -----------------------------
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 96 groups loaded.
Loading journal descriptors ...
=================================================================
==2824==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x621000010100 at pc 0x00000050b0bc bp 0x7ffcdaf56d80 sp 0x7ffcdaf56d78
READ of size 2 at 0x621000010100 thread T0
#0 0x50b0bb in be16_to_cpu(unsigned short*)
/home/aleksey/OTHER/EXTUNDELETE/clang_1/src/extundelete.cc:302:8
#1 0x5062da in journal_block_tag_to_cpu(char*, journal_superblock_s*)
/home/aleksey/OTHER/EXTUNDELETE/clang_1/src/extundelete.cc:390:2
#2 0x504f6b in init_journal(struct_ext2_filsys*, struct_ext2_filsys*,
journal_superblock_s*)
/home/aleksey/OTHER/EXTUNDELETE/clang_1/src/extundelete.cc:1052:6
#3 0x525a85 in examine_fs(struct_ext2_filsys*)
/home/aleksey/OTHER/EXTUNDELETE/clang_1/src/cli.cc:287:13
#4 0x5224d8 in main
/home/aleksey/OTHER/EXTUNDELETE/clang_1/src/cli.cc:807:12
#5 0x7fd47ce2409a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#6 0x4235d9 in _start
(/home/aleksey/OTHER/EXTUNDELETE/clang_1/src/extundelete+0x4235d9)
0x621000010100 is located 0 bytes to the right of 4096-byte region
[0x62100000f100,0x621000010100)
allocated by thread T0 here:
#0 0x4fa7f2 in operator new[](unsigned long)
(/home/aleksey/OTHER/EXTUNDELETE/clang_1/src/extundelete+0x4fa7f2)
#1 0x5049dc in init_journal(struct_ext2_filsys*, struct_ext2_filsys*,
journal_superblock_s*)
/home/aleksey/OTHER/EXTUNDELETE/clang_1/src/extundelete.cc:990:8
#2 0x525a85 in examine_fs(struct_ext2_filsys*)
/home/aleksey/OTHER/EXTUNDELETE/clang_1/src/cli.cc:287:13
#3 0x5224d8 in main
/home/aleksey/OTHER/EXTUNDELETE/clang_1/src/cli.cc:807:12
#4 0x7fd47ce2409a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/aleksey/OTHER/EXTUNDELETE/clang_1/src/extundelete.cc:302:8 in
be16_to_cpu(unsigned short*)
Shadow bytes around the buggy address:
0x0c427fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff9ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffa000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffa010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffa020:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2824==ABORTING
----------------------------- end of stdout -----------------------------
So the problem is somewhere in the init_journal() function.
The heap-buffer-overflow occurred at extundelete.cc:1052:
journal_block_tag_to_cpu( (char *)jbt, jsb );
on the block of size 4096 bytes, allocated at extundelete.cc:990 by line:
buf = new char[ EXT2_BLOCK_SIZE(jfs->super)];
Regards,
Aleksey
>
