From: Andreas Dilger Date: Fri, 22 Jun 2007 06:22:38 +0000 (-0400) Subject: e2fsck: added sanity check for xattr validation X-Git-Tag: E2FSPROGS-1_40~10 X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=a34c6ffd687aef4941bbc32793078c13914d3864;p=tools%2Fe2fsprogs.git e2fsck: added sanity check for xattr validation Add an extra validity test in check_ext_attr(). If an attribute's e_value_size is zero the current code does not allocate a region for it and as a result the e_value_offs value is not verified. However, if e_value_offs is very large then the later call to ext2fs_ext_attr_hash_entry() can dereference bad memory and crash e2fsck. Signed-off-by: Andreas Dilger Signed-off-by: Jim Garlick --- diff --git a/e2fsck/ChangeLog b/e2fsck/ChangeLog index 3fbeef2..06fa905 100644 --- a/e2fsck/ChangeLog +++ b/e2fsck/ChangeLog @@ -1,3 +1,13 @@ +2007-06-22 Theodore Tso + + * pass1.c (check_ext_attr): Adds an extra validity test in + check_ext_attr(). If an attribute's e_value_size is zero + the current code does not allocate a region for it and as + a result the e_value_offs value is not verified. However, + if e_value_offs is very large then the later call to + ext2fs_ext_attr_hash_entry() can dereference bad memory + and crash e2fsck. + 2007-06-18 Theodore Tso * journal.c (e2fsck_run_ext3_journal), unix.c (main): Explicitly diff --git a/e2fsck/pass1.c b/e2fsck/pass1.c index 8f5a314..bed1ec8 100644 --- a/e2fsck/pass1.c +++ b/e2fsck/pass1.c @@ -1380,6 +1380,11 @@ static int check_ext_attr(e2fsck_t ctx, struct problem_context *pctx, if (fix_problem(ctx, PR_1_EA_BAD_VALUE, pctx)) goto clear_extattr; } + if (entry->e_value_offs + entry->e_value_size > fs->blocksize) { + if (fix_problem(ctx, PR_1_EA_BAD_VALUE, pctx)) + goto clear_extattr; + break; + } if (entry->e_value_size && region_allocate(region, entry->e_value_offs, EXT2_EXT_ATTR_SIZE(entry->e_value_size))) {