From: Wang Shilong <wshilong@ddn.com>
Date: Fri, 19 Jun 2020 02:20:39 +0000 (+0800)
Subject: LU-8465 ext2fs: fix to avoid invalid memory access
X-Git-Tag: v1.45.6.wc2~14
X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=d8b23ec2a3a900ecf2040ea67a9b4b34d499c536;p=tools%2Fe2fsprogs.git

LU-8465 ext2fs: fix to avoid invalid memory access

Dir block might be corrupted and cause the next dirent is out
of block size boundary, even though we have the check to avoid
problem, memory check tools like valgrind still complains it.

Patch try to fix the problem by checking if offset exceed max
offset firstly before getting the pointer.

Signed-off-by: Wang Shilong <wshilong@ddn.com>
Change-Id: I40c4587bb35b7f22d47f37b4ffa52ef822f11b41
Reviewed-on: https://review.whamcloud.com/39850
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
---

diff --git a/lib/ext2fs/csum.c b/lib/ext2fs/csum.c
index a717258..0dbb496 100644
--- a/lib/ext2fs/csum.c
+++ b/lib/ext2fs/csum.c
@@ -266,16 +266,14 @@ static errcode_t __get_dirent_tail(ext2_filsys fs,
 	d = dirent;
 	top = EXT2_DIRENT_TAIL(dirent, fs->blocksize);
 
-	rec_len = translate(d->rec_len);
 	while ((void *) d < top) {
-		if ((rec_len < 8) || (rec_len & 0x03))
+		rec_len = translate(d->rec_len);
+		if ((rec_len < 8) || (rec_len & 0x03) ||
+		    (rec_len > (char *)dirent + fs->blocksize - (char *)d))
 			return EXT2_ET_DIR_CORRUPTED;
 		d = (struct ext2_dir_entry *)(((char *)d) + rec_len);
-		rec_len = translate(d->rec_len);
 	}
 
-	if ((void *)d > ((void *)dirent + fs->blocksize))
-			return EXT2_ET_DIR_CORRUPTED;
 	if (d != top)
 		return EXT2_ET_DIR_NO_SPACE_FOR_CSUM;