From patchwork Tue Aug 14 14:37:53 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lukas Czerner X-Patchwork-Id: 957548 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=linux-ext4-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 41qZvp1hPBz9rxx for ; Wed, 15 Aug 2018 00:38:14 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732188AbeHNRZj (ORCPT ); Tue, 14 Aug 2018 13:25:39 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:53866 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728458AbeHNRZj (ORCPT ); Tue, 14 Aug 2018 13:25:39 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id ABA9A81663C7 for ; Tue, 14 Aug 2018 14:38:04 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.43.17.220]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9DAB02026D7E; Tue, 14 Aug 2018 14:38:03 +0000 (UTC) From: Lukas Czerner To: linux-ext4@vger.kernel.org Cc: Lukas Czerner Subject: [PATCH] e2fsprogs: avoid segfault when s_nr_users is too high Date: Tue, 14 Aug 2018 16:37:53 +0200 Message-Id: <20180814143753.8937-1-lczerner@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Tue, 14 Aug 2018 14:38:04 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Tue, 14 Aug 2018 14:38:04 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lczerner@redhat.com' RCPT:'' Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org Currently in e2fsprogs tools it's possible to access out of bounds memory when reading list of ids sharing a journal log (journal_superblock_t->s_users[]) in case where s_nr_users is too high. This is because we never check whether the s_nr_users fits into the restriction of JFS_USERS_MAX. Fix it by checking that nr_users is not bigger than JFS_USERS_MAX and error out when possiblem. Also add test for dumpe2fs. The rest would require involving external journal which is not possible to test with e2fsprogs test suite at the moment. Signed-off-by: Lukas Czerner --- lib/e2p/ljs.c | 4 +- lib/ext2fs/mkjournal.c | 2 + misc/tune2fs.c | 11 +++ tests/d_corrupt_journal_nr_users/expect | 99 ++++++++++++++++++++++ tests/d_corrupt_journal_nr_users/image.gz | Bin 0 -> 8788 bytes tests/d_corrupt_journal_nr_users/name | 1 + tests/d_corrupt_journal_nr_users/script | 25 ++++++ tests/f_bad_local_jnl/image | Bin 0 -> 8388608 bytes 8 files changed, 140 insertions(+), 2 deletions(-) create mode 100644 tests/d_corrupt_journal_nr_users/expect create mode 100644 tests/d_corrupt_journal_nr_users/image.gz create mode 100644 tests/d_corrupt_journal_nr_users/name create mode 100644 tests/d_corrupt_journal_nr_users/script create mode 100644 tests/f_bad_local_jnl/image diff --git a/tests/f_bad_local_jnl/image b/tests/f_bad_local_jnl/image new file mode 100644 index 0000000000000000000000000000000000000000..6f2b550a3811cdffb3cdf8f3eb0eaae4e9a9421a GIT binary patch literal 8388608 zcmeF)2hb#Cfq>zEcR{isNfebNOU_v&2?!`bBuJ7Bl98n3tYjo3k`YW~$w*F;K@=nl zDoYk5XYO4T%hU4ew(gFSz2~cXYkGQmrn{f1Z~mIDn)(L@3<3oH-wF)s%qJfhIHubh zCmk4gxx2$x{cTL%((wMea>55LpMPLr=)elk4SH|Y1jFwy`)nKhZIgkqTHd`zslhe; zsl#sBf2p<3U1GgMt~_Atp{E@^tW_V#82tm;i=7boa0(3Ru!qmnQR~J@Uw&`CemKv> zQ4=6Aq5|*!Ta4XC^ssGDfWZG;VE1=N`>$W*-{RxJK@cGDe>vI;{{7xx_d(n~ zyU0s}hJOKhf8Xz2PiV(44I1*FzKcx#K^%;I5cq%vcHd+84##_MukX)+zZ}A#fwBMY z;??Y}oTKKfxoYm3r{=Bs>T}hFxq;8u0<~Z*^w(>4EgJtq;MqlbVAg;B{26}ba+1G$ z&d`>pscCDvn!aYJ8EdARxn`+eYGAf92oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjX*oC1S8?6C(14IcjgtN*e*c<{{K8LRtG3>kCqW?OEv?F<`kx!o4)e>l(2Q4=8W zuLXwB^S__}FAe$2{QuX_@CX3{BbC4?Bh}eB83F`GM8NzX5iQ#i7`X(@|B>tcbT$M= zM8NzX5iQ#i7`X(@|B>tcbT$M=M8NzX5iQ#i7`X(@|B>tcbT$M=M8NzX5iQ#i7`X(@ z|B>tcbT$M=M8NzX5iQ#i7`X(@|B>tcbT$P3n*vwOKi~J;^sk=)!*AYO9Mr<_{%H)m zW&fqtI(Lcn4!QDxt%sg=^sv|GzHFU;+Q$WTCrBDmFsJ@O08O})#|lIeZAJKwQB7e{v(2QYrR^(HmD8j z8?{kwT$|LUwOMUmThx~I&DyHAu5D`D+OED;->&UzhuX1rs-0_>+O>A8-D{89v-YaJ z>pS(`+Nbud{c8U@pbo5q>frib9a4wZVRd*NQAgHMb#x8?fyFWPgF3d3tK;j0IfHKyomc1A1$ALvR2SDJb!q*gF00Gy zin_9{s;ldoy0)&X>+6R4W!+de)y;KF-CDQR?R7`pS-+~g>euy~y1VYF-`2f#U)^61 z)PwaSSdZ1Pdc2;fC+n$tx}K?L>reGuJzsyW7wW}&sa~#E>eYI! zUavRm&3dceu6OF)8vaX{K{dFB)F?G-eWXUK(QAwvv&O2iYn=LMja%c@$7=kVpeC$| zYU28MO;VqzPu8UMsrqz%rY5V&Yl@n(rmD}@)HSrGscCDvn!aYJ8EdARxn`+ZYqpxb z=BPPqu9~~%sd;O@`drOlpRWaK!7>OCAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk|0uBVpn-u!1`iB;VaPu|;ywWaBfG#N&HpddqP18p zUSF&wYROuvzEoeXrE8g5ww9}})bjP!TA@~~m1^bsTCGy6)@rqStx;dEHEXR}yVj|7 zYrR^(HmD8j8?{kwT$|LUwOMUmThx~I&DyHAu5D`D+OED;->&UzhuX1rs-0_>+O>A8 z-D{89v-YaJ>pS(`+Nbud{c8U@pbo5q>frib9a4wZVRd*NQAgHMb##5dj;SBiv2|P> zUnkUwbyA&Nr_>MY)HlbxdU0zqzm338JUDwpLbzNOwH`Fid#=5C)u3PHXx~*=nJL=B*Rozv;uHV$%bx-}a z?ydXk{(7JutcU91`dvLzkJj(&5B0}-tcKO&^+Y{cPu0`)Og&qFs^{wY`g6TdFV;)- za=lWo)@${8y-{!0TlIFmQ}5P5fA1^jtH!Qz>Z3JojaMJ5 z@oR#buqLXB>*F;^eWE^Dlh&u|)AgB}tR}B1YRa0bK3h}Q(3+;Et?6p|nxST_nQG>m zrDml?LE zZCsnwrnOmZUR%_b_08I(n}}epElMpVUw5XLWj=QD@d!b#|Ro=hn~bygI)ws0-_&y0|W>OY0YPSzTUN)RlEr zU0v7IwRK%xUpLe*>&CjNZmwJE*1D~3uRH3_`c>UkzpmfZ-E~j>w(hO_>i&A59;}Dz z;rd-YQjgZ}>kswEdaQ=kV#Zuhwhzdc9F^ z)?4*tA~K{dFB)F?G-eWXUK(QAwvv&O2iYn=LMja%c@$7=kVpeC$|YU28M zO;VqzPu8UMsrqz%rY5V&Yl@n(rmD}@)HSrGscCDvn!aYJ8EdARxn`+ZYqpxb=BPPq zu9~~%sd;O@`drOlpRWaK!CI&mu0_fqK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72>heKqC*A-7OTbUi?u{8SxeQI>dUosEmOg%;;tyOE+I<;=CSL@dXwPAguHmZ$lliIX4tIcbR z+Oob`Th-RJO>JA-)wk-~wSDbSJJwFMbL~>Q)^4?X?NNKyUbT09r@mYJ)V{S}?OzAf zfpt(FT;Hoh>d-o@4zDBX$U3TyuJ6||^@BRLj;rJAggUWKs*~%K`eB_~r`3<@$Muu? zY5lBDuQTe*I;+mEbL!msd7W41*9CQ9T~rs>C3R{2qAsh;>x#OvuBxl+n!2{GtLy8A z`eof%H`UE`OWj(x)$Mgh-C4h?yXx2Vo4UL1so&PUbzj|I57dM8P(56~t4He5`hESO z{#cLIuzI|ns3+^Gdb*yeXX{V(Ts>cZt{3XXdZ}KnSL)SztzNG;>dktq-mZ7*-5MBW zU|>)Ut|2u_janb6(Q5P>qsFYUYU~=PK3e0}c=fRwzb2>&YoeOCK3YwAz<>b*1`HT5V8DO@0|pEjFkrxd z0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwA zz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEj zFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r z3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@ z0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VK zfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5 zV8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM z7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b* z1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd z0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwA zz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEj zFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r z3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@ z0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VK zfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5 zV8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM z7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b* z1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd z0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwA zz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEj zFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r z3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@ z0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VK zfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5 zV8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM z7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b* z1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd z0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwA zz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEj zFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r z3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@ z0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VK zfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5 zV8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM z7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b* z1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd z0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwA zz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEj zFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r z3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@ z0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VK zfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5 zV8DO@0|pEjFkrxd0RsjM7%*VKfB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM P7%*VKfB^#r3>f%8rXH{S literal 0 HcmV?d00001 diff --git a/lib/e2p/ljs.c b/lib/e2p/ljs.c index 0b1beadb..c99126b6 100644 --- a/lib/e2p/ljs.c +++ b/lib/e2p/ljs.c @@ -101,10 +101,10 @@ void e2p_list_journal_super(FILE *f, char *journal_sb_buf, e2p_be32(jsb->s_checksum)); if ((nr_users > 1) || !e2p_is_null_uuid(&jsb->s_users[0])) { - for (i=0; i < nr_users; i++) { + for (i=0; i < nr_users && i < JFS_USERS_MAX; i++) { printf(i ? " %s\n" : "Journal users: %s\n", - e2p_uuid2str(&jsb->s_users[i*16])); + e2p_uuid2str(&jsb->s_users[i * UUID_SIZE])); } } if (jsb->s_errno != 0) diff --git a/lib/ext2fs/mkjournal.c b/lib/ext2fs/mkjournal.c index 7f78291d..a90e80e0 100644 --- a/lib/ext2fs/mkjournal.c +++ b/lib/ext2fs/mkjournal.c @@ -401,6 +401,8 @@ errcode_t ext2fs_add_journal_device(ext2_filsys fs, ext2_filsys journal_dev) /* Check and see if this filesystem has already been added */ nr_users = ntohl(jsb->s_nr_users); + if (nr_users > JFS_USERS_MAX) + return EXT2_ET_CORRUPT_JOURNAL_SB; for (i=0; i < nr_users; i++) { if (memcmp(fs->super->s_uuid, &jsb->s_users[i*16], 16) == 0) diff --git a/misc/tune2fs.c b/misc/tune2fs.c index 4b673bc2..d5d542fb 100644 --- a/misc/tune2fs.c +++ b/misc/tune2fs.c @@ -291,6 +291,12 @@ static int remove_journal_device(ext2_filsys fs) jsb = (journal_superblock_t *) buf; /* Find the filesystem UUID */ nr_users = ntohl(jsb->s_nr_users); + if (nr_users > JFS_USERS_MAX) { + fprintf(stderr, _("Journal superblock is corrupted, nr_users\n" + "is too high (%d).\n"), nr_users); + commit_remove_journal = 1; + goto no_valid_journal; + } if (!journal_user(fs->super->s_uuid, jsb->s_users, nr_users)) { fputs(_("Filesystem's UUID not found on journal device.\n"), @@ -2854,6 +2860,11 @@ fs_update_journal_user(struct ext2_super_block *sb, __u8 old_uuid[UUID_SIZE]) jsb = (journal_superblock_t *) buf; /* Find the filesystem UUID */ nr_users = ntohl(jsb->s_nr_users); + if (nr_users > JFS_USERS_MAX) { + fprintf(stderr, _("Journal superblock is corrupted, nr_users\n" + "is too high (%d).\n"), nr_users); + return EXT2_ET_CORRUPT_JOURNAL_SB; + } j_uuid = journal_user(old_uuid, jsb->s_users, nr_users); if (j_uuid == NULL) { diff --git a/tests/d_corrupt_journal_nr_users/expect b/tests/d_corrupt_journal_nr_users/expect new file mode 100644 index 00000000..cdfb49a0 --- /dev/null +++ b/tests/d_corrupt_journal_nr_users/expect @@ -0,0 +1,99 @@ +Filesystem volume name: +Last mounted on: +Filesystem magic number: 0xEF53 +Filesystem revision #: 1 (dynamic) +Filesystem features: has_journal ext_attr resize_inode dir_index filetype extent 64bit flex_bg sparse_super large_file huge_file dir_nlink extra_isize metadata_csum +Default mount options: user_xattr acl +Filesystem state: clean +Errors behavior: Continue +Filesystem OS type: Linux +Inode count: 512 +Block count: 2048 +Reserved block count: 102 +Free blocks: 982 +Free inodes: 501 +First block: 0 +Block size: 4096 +Fragment size: 4096 +Group descriptor size: 64 +Blocks per group: 32768 +Fragments per group: 32768 +Inodes per group: 512 +Inode blocks per group: 32 +Flex block group size: 16 +Mount count: 0 +Check interval: 0 () +Reserved blocks uid: 0 +Reserved blocks gid: 0 +First inode: 11 +Inode size: 256 +Required extra isize: 32 +Desired extra isize: 32 +Journal inode: 8 +Default directory hash: half_md4 +Journal backup: inode blocks +Checksum type: crc32c +Journal features: (none) +Journal size: 4096k +Journal length: 1024 +Journal sequence: 0x00000001 +Journal start: 0 +Journal number of users: 9999 +Journal users: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Group 0: (Blocks 0-2047) + Primary superblock at 0, Group descriptors at 1-1 + Block bitmap at 2 (+2) + Inode bitmap at 18 (+18) + Inode table at 34-65 (+34) + 982 free blocks, 501 free inodes, 2 directories, 501 unused inodes + Free blocks: 1066-2047 + Free inodes: 12-512 diff --git a/tests/d_corrupt_journal_nr_users/image.gz b/tests/d_corrupt_journal_nr_users/image.gz new file mode 100644 index 0000000000000000000000000000000000000000..1fc32eddd679fbea791aeba59faf0fcd93cbccd3 GIT binary patch literal 8788 zcmeIuYfO@16bJCvoYUDBS)01NWfrbt_ zcq>a#o0^V{L}dgy8=@&P&8|qMso}&smleVj_Px!|?Kz*$o}KgjcYa>Q4h{mg>X;GOdcSZMj71`*e4cM zN(xhWl+7Aom^3{IXA7B`Ep_G@F>%t}N zD&_G$UZ-Q!VLwJF&NE(eQMVvXoSYrBL6H2)X*T_}_I8uexqH|Qs#zZ`Ue*uj#z_-s zDo5S=m4M1oyIG%7&6m^~rR6z-F}`Sk4Vq58#` zTG}?M$Ba_YApFpW=T|%#Q#keg7+5q2GNphl*0*XsIhXWp0>){+x|VF@o{fp-sBbcB z;WL1)u;FfC5ke3P1rU00p1`6o3Ly017|>C;$bZ02F`%Pyh-*0Vn_k jpa2y3-vtP&o3@))k30;LjXqKTIQKi=Kf1>{mXG`ako|Wj literal 0 HcmV?d00001 diff --git a/tests/d_corrupt_journal_nr_users/name b/tests/d_corrupt_journal_nr_users/name new file mode 100644 index 00000000..8b33a273 --- /dev/null +++ b/tests/d_corrupt_journal_nr_users/name @@ -0,0 +1 @@ +Journal superblock corrupted, nr_users too high diff --git a/tests/d_corrupt_journal_nr_users/script b/tests/d_corrupt_journal_nr_users/script new file mode 100644 index 00000000..683cd487 --- /dev/null +++ b/tests/d_corrupt_journal_nr_users/script @@ -0,0 +1,25 @@ +if ! test -x $DEBUGFS_EXE; then + echo "$test_name: $test_description: skipped (no debugfs)" + return 0 +fi + +IMAGE=$test_dir/image.gz +EXP=$test_dir/expect +OUT=$test_name.log +gunzip < $IMAGE > $TMPFILE + +$DUMPE2FS $TMPFILE >> $OUT.new 2>&1 +sed -f $cmd_dir/filter.sed $OUT.new > $OUT +rm -f $TMPFILE $OUT.new + +cmp -s $OUT $EXP +status=$? + +if [ "$status" = 0 ] ; then + echo "$test_name: $test_description: ok" + touch $test_name.ok +else + echo "$test_name: $test_description: failed" + diff $DIFF_OPTS $EXP $OUT > $test_name.failed + rm -f $test_name.tmp +fi