Several bugs in xfs-progs when parsing invalid input

Eric Sandeen sandeen at sandeen.net
Fri Nov 6 10:54:11 CST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 11/5/15 10:47 AM, Hanno Böck wrote:
> Hi,
> 
> A while ago I reported a couple of bugs into your bugtracker about
> issues in xfs_repair that I found through fuzzing (with the tool
> american fuzzy lop).
> 
> http://oss.sgi.com/bugzilla/show_bug.cgi?id=1119
> null pointer access
> 
> http://oss.sgi.com/bugzilla/show_bug.cgi?id=1120
> out of bounds heap read access
> 
> http://oss.sgi.com/bugzilla/show_bug.cgi?id=1121
> http://oss.sgi.com/bugzilla/show_bug.cgi?id=1122
> 2x assert
> 
> When opening these bugs I got an error message. I then contacted your
> support and almost two months(!) later I got a reply telling me that I
> should not use bugzilla, instead I should report bugs to this mailing
> list.
> 
> Your webpage however clearly states that I should use bugzilla:
> http://oss.sgi.com/projects/xfs/

oss.sgi.com infrastructure is not well maintained, I'm sorry about that,
but it's up to SGI to fix anything that needs fixing, I'm afraid.

Which is a pity, because a well-maintained bug tracker would be pretty
useful.

That said, reporting to the list is also probably a good idea.

> This is all a bit ridiculous. If you don't want people to use your
> bugzilla don't say so on your webpage and preferrably disable the
> creation of new bugs.
> 
> Anyway: Please have a look at the bugs I reported (and once they're
> fixed I'll happily re-test the code to see if there are more issues
> that can be found via fuzzing).

You didn't say what version of xfsprogs you tested, but there have
been a few independent fuzz-related fixes recently; you might just retest
against what's currently in the git tree, and see if we got lucky.  ;)

Thanks,
- -Eric
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJWPNsyAAoJECCuFpLhPd7gcIcP/26oNtf4LctRnyNwAQfqdp99
SCoJoCBnJLY8B8CI4ut1LkUzaCmGw3tC/sB5i+JxV9kU2U1IZ3D06mw3HMFrf2zB
/AXxTyZPejpNGmWsfn8XevaC0t2/qGqZp6cEyE7IeK7CCDfKl/ulmTg0np3uexTo
/FRTBkFJtM9TOgByvbuk0CAeW4zC9VUCBubV5KxXFgJgQIigHDZhdVPl6gFfPuov
+AZu8jNAK+zKcmlziUxZHr+xL/8T+IVGkao91pqxXYDW/p0OYC4XlOm8NCQ+Z7HQ
zuCWDyL8Y1lCwqJonkO+slFQ1YtF2K2zBmyT8HBzmqd294/9SP8pJcyZkm9JKbvC
on2AipTqrob90xHnMyyIrU9stbfa2vlFo2CDUzDwklY6M3dfViPoMrkAu+IRxjC0
aenoezYSYJ6H4blAfvWeSHwmfSUp9qtS+QR0ETPLqw+w1WARrbxjqcARw+ln4dOY
+0AgUJfc6UFmgGkulX2qQqFX8zNth9uE09TIU5q2Gy9/uY2hkK7mgQ4sVNQMVt7f
M2vooAh8vF59PrJt6fTOHeSMrTcScl1fi1N0sQgnWfDUWlh81gSCRBy3drg02JGB
nh3wcAJo4D726fyucRh7XSj+3k2CUas/Y87kDevX5A8xBBNNiT/S4ueYlg7BEPT4
5Y20B/KyIe0jQiLFLOMU
=Vuhf
-----END PGP SIGNATURE-----

More information about the xfs mailing list