From 40196f3b493a55728f8f3a6591d52867ef613e3c Mon Sep 17 00:00:00 2001 From: Theodore Ts'o Date: Mon, 30 May 2022 19:17:30 -0400 Subject: [PATCH] e2fsck: sanity check the journal inode number MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit E2fsck replays the journal before sanity checking the full superblock. So it's possible that the journal inode number is not valid relative to the number of block groups. So to avoid potentially an array bounds overrun, sanity check this before trying to find the journal inode. Reported-by: Nils Bars Reported-by: Moritz Schlögel Reported-by: Nico Schiller Signed-off-by: Theodore Ts'o --- e2fsck/journal.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/e2fsck/journal.c b/e2fsck/journal.c index 2e86723..12487e3 100644 --- a/e2fsck/journal.c +++ b/e2fsck/journal.c @@ -989,7 +989,14 @@ static errcode_t e2fsck_get_journal(e2fsck_t ctx, journal_t **ret_journal) journal->j_blocksize = ctx->fs->blocksize; if (uuid_is_null(sb->s_journal_uuid)) { - if (!sb->s_journal_inum) { + /* + * The full set of superblock sanity checks haven't + * been performed yet, so we need to do some basic + * checks here to avoid potential array overruns. + */ + if (!sb->s_journal_inum || + (sb->s_journal_inum > + (ctx->fs->group_desc_count * sb->s_inodes_per_group))) { retval = EXT2_ET_BAD_INODE_NUM; goto errout; } -- 1.8.3.1