Message ID | 20220607042444.1798015-4-tytso@mit.edu |
---|---|
State | Accepted |
Headers | show |
Series | Fix various bugs found via a fuzzing campaign | expand |
On Tue, Jun 07, 2022 at 12:24:40AM -0400, Theodore Ts'o wrote: > If there is an inline data directory which is smaller than 8 bytes > (which should never happen but for corrupted or fuzzed file systems), > ext2fs_process_dir_block() will now abort EXT2_ET_DIR_CORRUPTED to > avoid an out-of-bounds read. Looks good. Reviewed-by: Lukas Czerner <lczerner@redhat.com> > > Reported-by: Nils Bars <nils.bars@rub.de> > Reported-by: Moritz Schlögel <moritz.schloegel@rub.de> > Reported-by: Nico Schiller <nico.schiller@rub.de> > Signed-off-by: Theodore Ts'o <tytso@mit.edu> > --- > lib/ext2fs/dir_iterate.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/lib/ext2fs/dir_iterate.c b/lib/ext2fs/dir_iterate.c > index b2b77693..7798a482 100644 > --- a/lib/ext2fs/dir_iterate.c > +++ b/lib/ext2fs/dir_iterate.c > @@ -221,6 +221,10 @@ int ext2fs_process_dir_block(ext2_filsys fs, > if (ext2fs_has_feature_metadata_csum(fs->super)) > csum_size = sizeof(struct ext2_dir_entry_tail); > > + if (buflen < 8) { > + ctx->errcode = EXT2_ET_DIR_CORRUPTED; > + return BLOCK_ABORT; > + } > while (offset < buflen - 8) { > dirent = (struct ext2_dir_entry *) (ctx->buf + offset); > if (ext2fs_get_rec_len(fs, dirent, &rec_len)) > -- > 2.31.0 >
diff --git a/lib/ext2fs/dir_iterate.c b/lib/ext2fs/dir_iterate.c index b2b77693..7798a482 100644 --- a/lib/ext2fs/dir_iterate.c +++ b/lib/ext2fs/dir_iterate.c @@ -221,6 +221,10 @@ int ext2fs_process_dir_block(ext2_filsys fs, if (ext2fs_has_feature_metadata_csum(fs->super)) csum_size = sizeof(struct ext2_dir_entry_tail); + if (buflen < 8) { + ctx->errcode = EXT2_ET_DIR_CORRUPTED; + return BLOCK_ABORT; + } while (offset < buflen - 8) { dirent = (struct ext2_dir_entry *) (ctx->buf + offset); if (ext2fs_get_rec_len(fs, dirent, &rec_len))
If there is an inline data directory which is smaller than 8 bytes (which should never happen but for corrupted or fuzzed file systems), ext2fs_process_dir_block() will now abort EXT2_ET_DIR_CORRUPTED to avoid an out-of-bounds read. Reported-by: Nils Bars <nils.bars@rub.de> Reported-by: Moritz Schlögel <moritz.schloegel@rub.de> Reported-by: Nico Schiller <nico.schiller@rub.de> Signed-off-by: Theodore Ts'o <tytso@mit.edu> --- lib/ext2fs/dir_iterate.c | 4 ++++ 1 file changed, 4 insertions(+)