From 232d29257b5ec4199e927b9490730a55b2d621ab Mon Sep 17 00:00:00 2001 From: Andreas Dilger Date: Thu, 12 Apr 2012 15:23:47 -0600 Subject: [PATCH] e2fsck: improve in-inode xattr checks Add check for in-inode xattr to make sure that it is not referencing an offset that is beyond the end of the inode. Signed-off-by: Andreas Dilger --- .gitignore | 1 + e2fsck/pass1.c | 7 +++++++ e2fsck/problem.c | 5 +++++ e2fsck/problem.h | 4 ++++ 4 files changed, 17 insertions(+) diff --git a/.gitignore b/.gitignore index 328df77..45f0cba 100644 --- a/.gitignore +++ b/.gitignore @@ -100,6 +100,7 @@ lib/ext2fs/tst_icount lib/ext2fs/tst_inline lib/ext2fs/tst_inode_size lib/ext2fs/tst_iscan +lib/ext2fs/tst_read_ea lib/ext2fs/tst_super_size lib/ext2fs/tst_types lib/libblkid.a diff --git a/e2fsck/pass1.c b/e2fsck/pass1.c index 78fbe8d..10e4462 100644 --- a/e2fsck/pass1.c +++ b/e2fsck/pass1.c @@ -321,6 +321,13 @@ static void check_ea_in_inode(e2fsck_t ctx, struct problem_context *pctx) goto fix; } + /* Value size cannot be larger than EA space in inode */ + if (entry->e_value_offs > storage_size || + entry->e_value_offs + entry->e_value_size > storage_size) { + problem = PR_1_INODE_EA_BAD_VALUE; + goto fix; + } + hash = ext2fs_ext_attr_hash_entry(entry, start + entry->e_value_offs); diff --git a/e2fsck/problem.c b/e2fsck/problem.c index 1c08e42..753c91d 100644 --- a/e2fsck/problem.c +++ b/e2fsck/problem.c @@ -946,6 +946,11 @@ static struct e2fsck_problem problem_table[] = { N_("@i %i has zero length extent\n\t(@n logical @b %c, physical @b %b)\n"), PROMPT_CLEAR, 0 }, + /* Bad extended attribute value in inode */ + { PR_1_INODE_EA_BAD_VALUE, + N_("@a in @i %i is corrupt (@n value)."), + PROMPT_CLEAR, 0}, + /* Pass 1b errors */ /* Pass 1B: Rescan for duplicate/bad blocks */ diff --git a/e2fsck/problem.h b/e2fsck/problem.h index 1b5815b..fc8c3c7 100644 --- a/e2fsck/problem.h +++ b/e2fsck/problem.h @@ -558,6 +558,10 @@ struct problem_context { /* Extent has zero length */ #define PR_1_EXTENT_LENGTH_ZERO 0x010066 +/* Bad extended attribute value in inode */ +#define PR_1_INODE_EA_BAD_VALUE 0x010070 + + /* * Pass 1b errors */ -- 1.8.3.1