#14 free(): invalid pointer

[Cebtenzzre]

When I was helping a friend use ext4magic, it crashed with SIGABRT because a non-malloc()ed address was passed to free.

ASAN report:

==1535==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x7ff6f6131794 in thread T0
#0 0x7ff6f86f6dc2 in __interceptor_free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x7ff6f852dcc0 in ext2fs_free_mem (/usr/lib/libext2fs.so.2+0x2ccc0) (BuildId: 53d2cdd8626816ff908b663e489ddd3708b64b54)
#2 0x557d7f3fd718 in local_ext2fs_extent_free /usr/src/debug/ext4magic/ext4magic-0.3.2/src/block.c:100
#3 0x557d7f4023d9 in local_block_iterate3 /usr/src/debug/ext4magic/ext4magic-0.3.2/src/block.c:703
#4 0x557d7f480e65 in check_file_recover /usr/src/debug/ext4magic/ext4magic-0.3.2/src/recover.c:600
#5 0x557d7f46cc91 in lookup_local /usr/src/debug/ext4magic/ext4magic-0.3.2/src/lookup_local.c:641
#6 0x557d7f46cac0 in lookup_local /usr/src/debug/ext4magic/ext4magic-0.3.2/src/lookup_local.c:626
#7 0x557d7f46cac0 in lookup_local /usr/src/debug/ext4magic/ext4magic-0.3.2/src/lookup_local.c:626
#8 0x557d7f46cac0 in lookup_local /usr/src/debug/ext4magic/ext4magic-0.3.2/src/lookup_local.c:626
#9 0x557d7f46cac0 in lookup_local /usr/src/debug/ext4magic/ext4magic-0.3.2/src/lookup_local.c:626
#10 0x557d7f46cac0 in lookup_local /usr/src/debug/ext4magic/ext4magic-0.3.2/src/lookup_local.c:626
#11 0x557d7f46cac0 in lookup_local /usr/src/debug/ext4magic/ext4magic-0.3.2/src/lookup_local.c:626
#12 0x557d7f408cf2 in main /usr/src/debug/ext4magic/ext4magic-0.3.2/src/ext4magic.c:1096
#13 0x7ff6f831584f (/usr/lib/libc.so.6+0x2384f) (BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
#14 0x7ff6f8315909 in __libc_start_main (/usr/lib/libc.so.6+0x23909) (BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
#15 0x557d7f3fd494 in _start (/usr/bin/ext4magic+0x11494) (BuildId: 0bfaf5e9786079b8b1a9382d9fd602aa2773f700)

Address 0x7ff6f6131794 is located in stack of thread T0 at offset 404 in frame
#0 0x557d7f4010fa in local_block_iterate3 /usr/src/debug/ext4magic/ext4magic-0.3.2/src/block.c:549

This frame has 7 object(s):
[48, 56) 'blk64' (line 556)
[80, 88) 'handle' (line 609)
[112, 120) 'blk' (line 612)
[144, 152) 'new_blk' (line 612)
[176, 200) 'extent' (line 610)
[240, 312) 'ctx' (line 554)
[352, 480) 'inode' (line 539) <== Memory access at offset 404 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: bad-free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52 in __interceptor_free
==1535==ABORTING

This appears to be a mismatch between ext2fs_extent_open2 and local_ext2fs_extent_free. Changing it to ext2fs_extent_free fixed the problem for me.

[Vitaly]

The root cause is ext4magic was not updated after update of the e2fsprogs. Two new fields are added into ext2_extent_handle and extent_path structures (e2fsprogs commits a14f0a647 and 2d30ab20a). As a result structure memory layout is changed and ext4magic overwrites structure fields incorrectly. It is correctly reported by valgrind.

Possible quickfix is applying the following patch:

diff -r -u a/src/block.c b/src/block.c
--- a/src/block.c   2014-03-12 04:54:03.000000000 +0400
+++ b/src/block.c   2024-04-10 09:10:06.436387279 +0300
@@ -64,6 +64,7 @@
         int             visit_num;
         int             flags;
         blk64_t         end_blk;
+        blk64_t         blk;
         void            *curr;
 };

@@ -79,6 +80,7 @@
         int                     type;
         int                     level;
         int                     max_depth;
+        int                     max_paths;
         struct extent_path      *path;
 };

@@ -180,6 +182,7 @@
                 ((((__u64) handle->inode->i_size_high << 32) +
                   handle->inode->i_size + (fs->blocksize - 1))
                  >> EXT2_BLOCK_SIZE_BITS(fs->super));
+        handle->path[0].blk = 0;
         handle->path[0].visit_num = 1;
         handle->level = 0;
         handle->magic = EXT2_ET_MAGIC_EXTENT_HANDLE;

It seems to work because:
- blk field is used only by internal e2fsprogs logic;
- while max_path field logic is updated it is still compatible with old logic (basically max_path value is equal to the max_depth + 1).

Proper fix without changing the code is to link the ext4magic to the e2fsprogs v1.42.13 (the last one before commit a14f0a647).

Originally posted this in Arch Linux packaging repo