← Back to team overview

touch-packages team mailing list archive

[Bug 1389321] [NEW] partx wraps partition offset and length mod 2^32 (2^23 sectors)

 

Public bug reported:

I notified this bug with util-linux 2.20.1-5.1ubuntu20.2 and kernel
3.13.0-39-generic (i386732 bit) with Ubuntu 14.04.1 LTS

I examined a 8gb sd-card image via loop device; parted reports:
# parted /dev/loop0 u b print
Modell: Loopback device (loop)
Festplatte  /dev/loop0:  7822376960B
Sektorgröße (logisch/physisch): 512B/512B
Partitionstabelle: msdos

Nummer  Anfang       Ende         Größe        Typ       Dateisystem  Flags
 1      4194304B     123000319B   118806016B   primary                LBA
 2      125829120B   7788822527B  7662993408B  extended
 5      130023424B   264241151B   134217728B   logical   fat32        LBA
 6      268435456B   3245342719B  2976907264B  logical   ext4
 7      3246391296B  3309305855B  62914560B    logical   fat32        LBA
 8      3313500160B  7785676799B  4472176640B  logical   ext4
 3      7788822528B  7822376959B  33554432B    primary   ext4

Then I made partition devices:
# partx -a /dev/loop0

This is what the kernel sees:
# cat /proc/partitions 
major minor  #blocks  name

   7        0    7639040 loop0
 259        0     116021 loop0p1
 259        1          1 loop0p2
 259        2      32768 loop0p3
 259        3     131072 loop0p5
 259        4    2907136 loop0p6
 259        5      61440 loop0p7
 259        6     173056 loop0p8

First thing I noticed: the contents of partition 3 was different from
the one at the corresponding offset within the image file. Then I saw -
as you can see above - that also partition 8 is much smaller than
reported by parted. In fact, the difference between the partition size
as seen by the kernel (in 1024 byte blocks) to the one in the MBR is
exactly 4294967296 bytes or 2^32. This prompted me to check, if a
similar wraparound happened to the offset of partition 3, and compared
its content to that at offset mod 2^32 (3493855232) in the image file:
sha256sum of the next 100 sectors compared identical.

It seems pretty obvious that partx uses 32-bit integers for offset and
size, and fails with sizes bigger than 4 gb. I think this bug is severe,
as partitions beyond 4 gb are mapped to a different area, and writing to
them overwrites data in other partitions.

** Affects: util-linux (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1389321

Title:
  partx wraps partition offset and length mod 2^32 (2^23 sectors)

Status in “util-linux” package in Ubuntu:
  New

Bug description:
  I notified this bug with util-linux 2.20.1-5.1ubuntu20.2 and kernel
  3.13.0-39-generic (i386732 bit) with Ubuntu 14.04.1 LTS

  I examined a 8gb sd-card image via loop device; parted reports:
  # parted /dev/loop0 u b print
  Modell: Loopback device (loop)
  Festplatte  /dev/loop0:  7822376960B
  Sektorgröße (logisch/physisch): 512B/512B
  Partitionstabelle: msdos

  Nummer  Anfang       Ende         Größe        Typ       Dateisystem  Flags
   1      4194304B     123000319B   118806016B   primary                LBA
   2      125829120B   7788822527B  7662993408B  extended
   5      130023424B   264241151B   134217728B   logical   fat32        LBA
   6      268435456B   3245342719B  2976907264B  logical   ext4
   7      3246391296B  3309305855B  62914560B    logical   fat32        LBA
   8      3313500160B  7785676799B  4472176640B  logical   ext4
   3      7788822528B  7822376959B  33554432B    primary   ext4

  Then I made partition devices:
  # partx -a /dev/loop0

  This is what the kernel sees:
  # cat /proc/partitions 
  major minor  #blocks  name

     7        0    7639040 loop0
   259        0     116021 loop0p1
   259        1          1 loop0p2
   259        2      32768 loop0p3
   259        3     131072 loop0p5
   259        4    2907136 loop0p6
   259        5      61440 loop0p7
   259        6     173056 loop0p8

  First thing I noticed: the contents of partition 3 was different from
  the one at the corresponding offset within the image file. Then I saw
  - as you can see above - that also partition 8 is much smaller than
  reported by parted. In fact, the difference between the partition size
  as seen by the kernel (in 1024 byte blocks) to the one in the MBR is
  exactly 4294967296 bytes or 2^32. This prompted me to check, if a
  similar wraparound happened to the offset of partition 3, and compared
  its content to that at offset mod 2^32 (3493855232) in the image file:
  sha256sum of the next 100 sectors compared identical.

  It seems pretty obvious that partx uses 32-bit integers for offset and
  size, and fails with sizes bigger than 4 gb. I think this bug is
  severe, as partitions beyond 4 gb are mapped to a different area, and
  writing to them overwrites data in other partitions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1389321/+subscriptions


Follow ups

References