debugfs crash with `-D_FORTIFY_SOURCE=3`

[thesamesam]

Noticed when running unblob's test suite.

# debugfs -R 'rdump / /var/tmp/portage/app-forensics/unblob-23.5.31/temp/pytest-of-portage/pytest-0/test_all_handlers_filesystem_e0/f_badsymlinks.img_extract//lost+found /var/tmp/portage/app-forensics/unblob-23.5.31/work/unblob-23.5.31/tests/integration/filesystem/extfs/__input__/f_badsymlinks.img
debugfs 1.47.0 (5-Feb-2023)
rdump: No such file or directory while creating symlink  -> /var/tmp/portage/app-forensics/unblob-23.5.31/temp/pytest-of-portage/pytest-0/test_all_handlers_filesystem_e0/f_badsymlinks.img_extract//lost+found//empty_link
*** buffer overflow detected ***: terminated
Aborted (core dumped)

Program received signal SIGABRT, Aborted.
0x00007ffff7d5024c in ?? () from /usr/lib64/libc.so.6
(gdb) bt
#0  0x00007ffff7d5024c in ?? () from /usr/lib64/libc.so.6
#1  0x00007ffff7cffad6 in raise () from /usr/lib64/libc.so.6
#2  0x00007ffff7ce8877 in abort () from /usr/lib64/libc.so.6
#3  0x00007ffff7ce97b8 in ?? () from /usr/lib64/libc.so.6
#4  0x00007ffff7de387b in __fortify_fail () from /usr/lib64/libc.so.6
#5  0x00007ffff7de1fe6 in __chk_fail () from /usr/lib64/libc.so.6
#6  0x00007ffff7de1826 in __strcpy_chk () from /usr/lib64/libc.so.6
#7  0x0000555555563f1f in ?? ()
#8  0x00005555555641c5 in ?? ()
#9  0x00007ffff7f446d6 in ext2fs_process_dir_block (fs=0x55555558c2c0, blocknr=0x7fffffffdca0, blockcnt=<optimized out>, ref_block=<optimized out>, ref_offset=<optimized out>, priv_data=<optimized out>)
    at /usr/src/debug/sys-fs/e2fsprogs-1.47.0-r2/e2fsprogs-1.47.0/lib/ext2fs/dir_iterate.c:256
#10 0x00007ffff7f3efc7 in ext2fs_block_iterate3 (fs=0x55555558c2c0, ino=2, flags=8, block_buf=0x0, func=0x7ffff7f44550 <ext2fs_process_dir_block>, priv_data=0x7fffffffde30)
    at /usr/src/debug/sys-fs/e2fsprogs-1.47.0-r2/e2fsprogs-1.47.0/lib/ext2fs/block.c:526
#11 0x00007ffff7f3fb55 in ext2fs_block_iterate3 (fs=fs@entry=0x55555558c2c0, ino=ino@entry=2, flags=flags@entry=8, block_buf=block_buf@entry=0x0, func=func@entry=0x7ffff7f44550 <ext2fs_process_dir_block>,
    priv_data=priv_data@entry=0x7fffffffde30) at /usr/src/debug/sys-fs/e2fsprogs-1.47.0-r2/e2fsprogs-1.47.0/lib/ext2fs/block.c:568
#12 0x00007ffff7f44b85 in ext2fs_dir_iterate2 (priv_data=0x7fffffffdeb0, func=0x7ffff7f444e0 <xlate_func>, block_buf=0x0, flags=<optimized out>, dir=2, fs=0x55555558c2c0)
    at /usr/src/debug/sys-fs/e2fsprogs-1.47.0-r2/e2fsprogs-1.47.0/lib/ext2fs/dir_iterate.c:126
#13 ext2fs_dir_iterate2 (fs=0x55555558c2c0, dir=2, flags=<optimized out>, block_buf=0x0, func=0x7ffff7f444e0 <xlate_func>, priv_data=0x7fffffffdeb0)
    at /usr/src/debug/sys-fs/e2fsprogs-1.47.0-r2/e2fsprogs-1.47.0/lib/ext2fs/dir_iterate.c:92
#14 0x00007ffff7f44bf0 in ext2fs_dir_iterate (fs=<optimized out>, dir=<optimized out>, flags=<optimized out>, block_buf=<optimized out>, func=<optimized out>, priv_data=<optimized out>)
    at /usr/src/debug/sys-fs/e2fsprogs-1.47.0-r2/e2fsprogs-1.47.0/lib/ext2fs/dir_iterate.c:174
#15 0x0000555555563f64 in ?? ()
#16 0x000055555556442b in ?? ()
#17 0x00007ffff7f16373 in check_request_table (rqtbl=<optimized out>, sci_idx=<optimized out>, argv=0x555555591930, argc=3)
    at /usr/src/debug/sys-fs/e2fsprogs-1.47.0-r2/e2fsprogs-1.47.0/lib/ss/execute_cmd.c:103
#18 really_execute_command (sci_idx=sci_idx@entry=1, argc=3, argv=argv@entry=0x7fffffffe110) at /usr/src/debug/sys-fs/e2fsprogs-1.47.0-r2/e2fsprogs-1.47.0/lib/ss/execute_cmd.c:141
#19 0x00007ffff7f16578 in ss_execute_line (sci_idx=1, line_ptr=<optimized out>) at /usr/src/debug/sys-fs/e2fsprogs-1.47.0-r2/e2fsprogs-1.47.0/lib/ss/execute_cmd.c:224
#20 0x000055555555b2e0 in ?? ()
#21 0x00007ffff7ce9d50 in ?? () from /usr/lib64/libc.so.6
#22 0x00007ffff7ce9e09 in __libc_start_main () from /usr/lib64/libc.so.6
#23 0x000055555555b3f5 in ?? ()

A smaller reproducer is:

$ mkdir /tmp/foo && debugfs -R 'rdump / /tmp/foo' f_badsymlinks.img
debugfs 1.47.0 (5-Feb-2023)
rdump: No such file or directory while creating symlink  -> /tmp/foo//empty_link
*** buffer overflow detected ***: terminated
Aborted (core dumped)

This is with GCC 13.1.1 20230701, -D_FORTIFY_SOURCE=3, glibc-2.37, and e2fsprogs-1.47.0 on amd64.

Attached f_badsymlinks.img (from the unblob test suite): f_badsymlinks.img.gz

[tytso]

This looks like it has been fixed upstream. I just tried building with --enable-hardening with FORTIFY_SOURCE set to 3, and running the regression test, and it's passing 100%. I suspect it was fixed when we added --enable-asan and --enable-ubsan and fixed up any issues that were detected by these sanitizers.