| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
| |
Now wipefs always inform about MBR as about PMBR. That's bug.
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The BEFS prober is quite trusting of whatever data is fed to it and
performs almost no bounds checks. There don't seem to be any
out-of-bounds writes as far as I can tell, but there are many ways a
corrupted image could cause libblkid to read OOB and segfault, or hang
in an infinite loop.
This fix makes a few sanity-checks of the superblock, add bounds checks
wherever they seem needed, and crudely checks for cycles in the B+ tree.
Signed-off-by: Alden Tondettar <alden.tondettar@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
If a GUID Partition Table claims to have more than 2**25 entries, or if the
size of each entry is not exactly 128 bytes, libblkid can read out of bounds
and segfault. Perform the appropriate checks.
[kzak@redhat.com: - fix typo]
Signed-off-by: Alden Tondettar <alden.tondettar@gmail.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The NTFS prober does not validate certain fields in struct file_attribute,
and could attempt to read the disk label from outside the space allocated
for the Master File Table. Perform the appropriate checks.
Note that one variable (attr_off) is now 64-bit, so a check for integer
overflow has been removed as unneeded/confusing.
Signed-off-by: Alden Tondettar <alden.tondettar@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A corrupted ZFS filesystem can trigger 32-bit endian-conversions of
unintended memory locations in zfs_extract_guid_name(), in several ways:
* The variable "left" (number of bytes remaining in the buffer) does not
account for the 12 bytes of the nvlist header.
* The field nvp->nvp_namelen (name length in name/value pair) is rounded
up to the nearest multiple of 4, but only the unrounded size is checked.
* The fields nvs->nvs_type, nvs_strlen, etc. are modified _before_ checking
if they are within bounds.
* A negative value of nvp->nvp_namelen will bypass the check that
nvp->nvp_namelen fits into nvp->nvp_size (size of name/value pair).
This allows for mangling of locations up to 12 + 3 + 8 == 23
bytes beyond the end of stack-based buff[4096], and up to 2**31 bytes
before its beginning.
Furthermore some debugging messages are printed from unchecked memory
locations, possibly resulting in OOB reads or setuid programs leaking
sensitive data when LIBBLKID_DEBUG is set.
This fix attempts to correct all of these problems. It also eliminates the
stack-based buffer (in case anything else was missed) and refactors things
a bit to (hopefully) make it easier to spot any mistakes.
Signed-off-by: Alden Tondettar <alden.tondettar@gmail.com>
|
|
|
|
|
|
|
|
|
| |
The usual way is to use ioctl to ask block device for sector size, but
this is useless for disk images (regular files). And the default
(512-bytes) may be pretty wrong for disk images from 4K disks. Let's
support a way how to specify proper sector size.
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Swap devices with specific values in the uuid can look like minix
devices to blkid. Add an extra check to make sure the state of the
filesystem has valid state flags.
A couple of offending swap uuids include:
35f1f264-137f-471a-bc85-acc9f4bc04a3
35f1f264-7f13-471a-bc85-acc9f4bc04a3
35f1f264-138f-471a-bc85-acc9f4bc04a3
35f1f264-8f13-471a-bc85-acc9f4bc04a3
Without this change a swap device with any of those uuids would be
detected as minix and swap by blkid.
Signed-off-by: Nate Clark <nate@neworld.us>
|
|
|
|
|
|
|
|
| |
fsck.minix performs the same sanity checks on all versions of the
superblock. Update the probe to perform the same sanity checks so it is
less likely a different type of filesystem will be identified as minix.
Signed-off-by: Nate Clark <nate@neworld.us>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All of the types in the minix super block are unsigned but in
probe_minix they were being treated as signed. This would cause some of
the extra sanity checks to pass on a non minix device. The types were
updated to match the return types of the helper functions in
disk-utils/minix_programs.h
This can be checked by creating a swap partition with one of these UUIDs
35f1f264-2468-471a-bc85-acc9f4bc04a3
35f1f264-6824-471a-bc85-acc9f4bc04a3
35f1f264-2478-471a-bc85-acc9f4bc04a3
35f1f264-7824-471a-bc85-acc9f4bc04a3
Prior to this change they would all be considered minix and swap by
blkid.
Signed-off-by: Nate Clark <nate@neworld.us>
|
|
|
|
|
|
|
| |
The links to ftp://ftp.kernel.org/ are replaced by
https://www.kernel.org/.
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
| |
Just to be consistent ...
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
|
|
|
|
| |
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
|
|
|
|
|
|
|
|
|
|
| |
libsmartcols/samples/fromfile.c:59:2: warning: passing argument 3 of 'string_to_bitmask' from incompatible pointer type
text-utils/pg.c:79:0: warning: "TABSIZE" redefined
libblkid/src/read.c:455:13: warning: 'debug_dump_dev' defined but not used [-Wunused-function]
libblkid/src/probe.c:769:13: warning: unused function 'cdrom_size_correction' [-Wunused-function]
/usr/include/sys/termios.h:3:2: warning: "this file includes <sys/termios.h> which is deprecated, use <termios.h> instead" [-W#warnings]
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
|
|
|
|
|
|
|
|
|
|
|
| |
Make the publicly-visible crc32 library functions prefixed by ul_, such
as crc32() -> ul_crc32().
This is because it clashes with the crc32() function from zlib.
For newer versions of glib (2.50+) zlib and libblkid are required
dependencies and otherwise results in build failure when building
statically.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
|
|
|
|
|
|
|
|
|
| |
A strlen() call can lead to out of boundary read access if the
superblock in question has no nul-bytes after the string. This
could be avoided by using strnlen() but the calls in question
merely existed to check if the string length is not 0.
By changing the calls as proposed with this diff, these files are
in sync with other superblock files, which do exactly the same.
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
| |
Do not hang if there is a cluster chain loop in rootdir
[kzak@redhat.com: - add return NULL]
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It's possible to use boot sector and empty MBR on LVM physical volume
to make LVM disk bootable. In this case MBR should be ignored and disk
reported as LVM.
Just for the record, this is ugly non-default LVM setup maintained for
backward compatibility (yes, LVM guys don't like it too).
Unfortunately people still use it. The proper way is to use regular
partitioned disk.
Reported-by: Xen <list@xenhideout.nl>
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
64 bit systems can trigger an out of boundary access while performing
a ZFS superblock probe.
This happens due to a possible integer overflow while calculating
the remaining available bytes. The variable is of type "int" and the
string length is allowed to be larger than INT_MAX, which means that
avail calculation can overflow, circumventing the "avail < 0" check and
therefore accessing memory outside the "buff" array later on.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
|
|
|
|
|
| |
This should prevent division by zero in find_label()
Signed-off-by: Rostislav Skudnov <rostislav@tuxera.com>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
| |
The oclint was complaining 'empty do/while statement' that turned out to be
true and I started to think it is best to use the same DBG() macro as in
other source files for this library.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
|
|
|
|
|
|
|
|
| |
Move negative and positive testing of 'has' variable to top level, and test
flag bit mask on second level. This way the 'has' needs to be checked only
once.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is extension to the patch 7164a1c34d18831ac61c6744ad14ce916d389b3f.
We also need to detect non-empty recursion in the EBR chain. It's
possible to create standard valid logical partitions and in the last one
points back to the EBR chain. In this case all offsets will be non-empty.
Unfortunately, it's valid to create logical partitions that are not in
the "disk order" (sorted by start offset). So link somewhere back is
valid, but this link cannot points to already existing partition
(otherwise we will see recursion).
This patch forces libblkid to ignore duplicate logical partitions, the
duplicate chain segment is interpreted as non-data segment, after 100
iterations with non-data segments it will break the loop -- no memory
is allocated in this case by the loop.
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1349536
References: http://seclists.org/oss-sec/2016/q3/40
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the extended partition starts at zero LBA then MBR is interpreted
as EBR and all is recursively parsed... result is out-of-memory.
MBR --extended-partition--> EBR --> MBR --> ENB --> MBR ...
Note that such PT is not possible to create by standard partitioning
tools.
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1349536
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Drives with 512 and 4K sectors have different offset for
metadata signature. Without signature detected on 4Kn drives
those drives will not be recognized as raid member. This
patch adds checking for IMSM signature for 4Kn drives.
Signed-off-by: Alexey Obitotskiy <aleksey.obitotskiy@intel.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The bytes variable is read from the file system to probe and must be
checked before used as length parameter in the crc32 call.
The following problems may occur here:
- bytes smaller than sumoff + 4: underflow in length calculation
- bytes larger than remaining space in sb: overflow of buffer
This fixes a problem where an encrypted volume had the correct magic
values 0x3434 at offset 0x406 and the following uint16_t (which is
read into the nilfs_super_block.s_bytes struct) was parsed as 1.
Then crc32 was called with the length value 18446744073709551597
causing a segmentation fault.
[kzak@redhat.com: - fix probe_nilfs2() return code]
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
| |
Fix various typos in error messages, warnings, debug strings,
comments and names of static functions.
Signed-off-by: Sebastian Rasmussen <sebras@gmail.com>
|
|
|
|
| |
Signed-off-by: Sebastian Rasmussen <sebras@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's try to use symlink:
# ls -la /dev/block/8\:1
# lrwxrwxrwx 1 root root 7 May 25 16:42 /dev/block/8:1 -> ../sda1
# blkid /dev/block/8:1
/dev/block/8:3: LABEL="HOME" UUID="196972ad-3b13-4bba-ac54-4cb3f7b409a4" TYPE="ext4" PARTUUID="6073277f-87bc-43ff-bcfd-724c4484a63a"
unfortunately the symlink is stored to the cache:
<device DEVNO="0x0803" TIME="1464253300.715279" LABEL="HOME" UUID="196972ad-3b13-4bba-ac54-4cb3f7b409a4" TYPE="ext4" PARTUUID="6073277f-87bc-43ff-bcfd-724c4484a63a">/dev/block/8:3</device>
next time if you ask for LABEL=HOME the answer will be /dev/block/8:3
rather than /dev/sda3.
It seems better to canonicalize the paths we store to the cache.
Unfortunately if you ask for /dev/block/8:3 then you probably expect
that blkid_dev_devname() returns the same path. This patch introduces
dev->bid_xname, this is the path used by application (and never stored
in the cache).
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1332779
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
| |
It seems too tricky to get a real size of the data track on hybrid
disks with audio+data. It seems overkill to analyze all header in
libblkid and on some disks it's probably possible to get I/O error
almost everywhere due to crazy copy protection etc.
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit a14cc9a5046bc4954b4110323c83599f90f9f35e.
We need a better way (probably analyze track ioctls CDROMREADTOCHDR
and CDROMREADTOCENTRY) to get also proper track size.
The original patch works only if data track is the last track.
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
.. and read last session if probing offset is not specified.
udev uses cdrom_id to get last session offset, so people don't see a
problem with hybrid media (audio+data), but if you execute blkid on
command line (without -O <offset>) then you get I/O errors.
It seems that we can use the same way as kernel filesystem iso9960
driver when session= mount option is not specified ... just use
CDROMMULTISESSION ioctl to get last session offset and probe this last
session rather than all medium.
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Linux kernel reports devices greater than area readable by read(2).
The readable area is usually 2-3 CD blocks smaller (CD block is
2048-bytes) than size returned by BLKGETSIZE. This patch checks for
this issues to avoid I/O errors in probing functions.
Reported-by: Thomas Schmitt <scdbackup@gmx.net>
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a probe is created with an offset, e.g. via
blkid_probe_set_device(), this offset is correctly used when looking for
the signatures, but is not respected by blkid_do_wipe() function.
Therefore the signature is removed from an invalid location.
Usecase: Wiping signatures from an area on the block device where
partition is to be created (but as it does not exist yet, there's no
device node for it and probe on the whole block device has to be used
with correct offset and length).
Reproducer:
======================== wiper.c ===========================
const char *dev;
unsigned long offset;
unsigned long size;
int main(int argc, char** argv) {
if (argc != 4) {
printf("usage: wiper dev offset size\n");
exit(1);
}
dev = argv[1];
offset = strtoull(argv[2], NULL, 10);
size = strtoull(argv[3], NULL, 10);
printf("dev=%s, off=%llu, size=%llu\n", dev, offset, size);
int fd = open (dev, O_RDWR);
if (fd == -1) {
perror("open");
exit(1);
}
blkid_loff_t wipe_offset = offset * SECTOR_SIZE;
blkid_loff_t wipe_size = size * SECTOR_SIZE;
int ret;
blkid_probe pr;
pr = blkid_new_probe();
if (!pr)
return 0;
ret = blkid_probe_set_device(pr, fd, wipe_offset, wipe_size);
ret = blkid_probe_enable_superblocks(pr, 1);
ret = blkid_probe_set_superblocks_flags(pr, BLKID_SUBLKS_MAGIC);
while (blkid_do_probe(pr) == 0) {
ret = blkid_do_wipe(pr, 0);
}
blkid_free_probe(pr);
close(fd);
}
======================== wiper.c ===========================
Steps to reproduce:
modprobe scsi_debug
parted -s /dev/sdX mklabel gpt
parted -s /dev/sdX mkpart first 2048s 4095s
mkfs.ext2 /dev/sdX1
wipefs -np /dev/sdX1
./wiper /dev/sdX1 2048 2048
Actual result: wiper gets into endless loop, because
blkid_do_wipe() wipes at wrong location (1080), leaving the signature
on /dev/sdc1. So it is again found by blkid_do_probe(), and so on.
Expected result: wiper clears the ext2 signature at offset 1049656(=1080+2048*512).
Signed-off-by: Petr Uzel <petr.uzel@suse.cz>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The implementation has not been ready for I/O errors and it seems that
there is no elegant way how to resolve this issue. Linux returns
SIGBUS on mmap errors and play with signals (or longjumps) in shared
library is really bad idea.
It also seems that mmaped devices have some unexpected side-effects
with page-cache where for example dd returns old data for already
modified device etc.
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
| |
Later version of bcache add different checksum types, and allow for superblocks
greater than 4k - skipping the checksum check (as in most other probes) is the
easiest solution.
Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
|
|
|
|
| |
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
This reverts commit 46a40c018438b7b2b25083a5e5a4a21055a0c1e9.
|
|
|
|
|
|
|
|
| |
BSD/Linux systems stick major/minor/makedev in sysmacros.h. Newer Linux
libraries have been moving away from including sysmacros.h implicitly via
sys/types.h, so include it directly.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
Such cast could hide serious compiler warnings in case we are
missing includes (e.g. <stdlib.h> or "xalloc.h").
See
http://stackoverflow.com/questions/605845/do-i-cast-the-result-of-malloc
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is again a huge patch regarding printf format strings to
fix compiler warnings seen on clang/OSX.
I'm trying to follow these rules strictly:
#type #format #cast
uintmax_t %ju -
intmax_t %jd -
uint64_t PRIu64 -
int64_t PRId64 -
size_t %zu -
ssize_t %zd -
ino_t %ju (uintmax_t)
off_t %jd (intmax_t)
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I have validated that we are still compatible at least back to
- openSUSE 11.4
- SLE 11
- RHEL/CentOS 6
- OSX 10.10.x, (Xcode 6.3)
- FreeBSD 10.2
Confirmed incompatibility:
- OSX 10.9.x, (Xcode 6.2)
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
|
|
|
|
|
|
|
| |
It's missing on OSX.
CC: Yuriy M. Kaminskiy <yumkam@gmail.com>
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
|