An inode containing the value for an extended attribute (aka an
ea_in_inode) must not have the INLINE_DATA flag and must have the
EA_INODE flag set. Enforcing this prevents e2fsck and debugfs crashes
caused by a maliciously crafted file system containing an inode which
has both the EA_INODE and INLINE_DATA flags set, and where that inode
has an extended attribute whose e_value_inum points to itself.
Reported-by: Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
case EXT2_ET_NO_INLINE_DATA:
case EXT2_ET_EXT_ATTR_CSUM_INVALID:
case EXT2_ET_EA_BAD_VALUE_OFFSET:
+ case EXT2_ET_EA_INODE_CORRUPTED:
/* broken EA or no system.data EA; truncate */
if (fix_problem(ctx, PR_1_INLINE_DATA_NO_ATTR,
&pctx)) {
ec EXT2_ET_INODE_CORRUPTED,
"Inode is corrupted"
+ec EXT2_ET_EA_INODE_CORRUPTED,
+ "Inode containing extended attribute value is corrupted"
+
end
memcpy(x->value, value_start + entry->e_value_offs,
entry->e_value_size);
} else {
+ struct ext2_inode *ea_inode;
ext2_file_t ea_file;
if (entry->e_value_offs != 0)
if (err)
return err;
- if (ext2fs_file_get_size(ea_file) !=
+ ea_inode = ext2fs_file_get_inode(ea_file);
+ if ((ea_inode->i_flags & EXT4_INLINE_DATA_FL) ||
+ !(ea_inode->i_flags & EXT4_EA_INODE_FL) ||
+ ea_inode->i_links_count == 0)
+ err = EXT2_ET_EA_INODE_CORRUPTED;
+ else if (ext2fs_file_get_size(ea_file) !=
entry->e_value_size)
err = EXT2_ET_EA_BAD_VALUE_SIZE;
else