From 7d25ea4628c0743a1b62e1884305fa283f2eb6e2 Mon Sep 17 00:00:00 2001 From: Theodore Ts'o Date: Thu, 16 Jan 2020 18:14:37 -0500 Subject: [PATCH] libext2fs: fix potential OOB read check_for_inode_bad_blocks() If the bad block list has been reset in the middle of an inode scan, it's possible for bb->list[scan->bad_blocks_ptr] to result in an out-of-bounds read access. This is highly unlikely to happen under normal circumstances; in particular, we generally don't use bad block inodes any more. In addition, this would only happen if the bad block inode itself is corrupt so e2fsck needs to wipe it out. This might cause e2fsck to crash, but it will more likely cause a part of the inode table to be wrongly considered invalid, causing file system to be incorrectly fixed. This was reported by TALOS as TALOS-2020-0974 and CVE-2020-6057, but after closer examination, we don't believe this can be used in any way to exploit the system or release information about the system, since all this can do is to cause part of the inode table to be skipped when it shouldn't be, and this can't be leveraged since any information about the ASLR of the process is obsolete once e2fsck exits. Signed-off-by: Theodore Ts'o --- lib/ext2fs/inode.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/ext2fs/inode.c b/lib/ext2fs/inode.c index 75df418..c4377ee 100644 --- a/lib/ext2fs/inode.c +++ b/lib/ext2fs/inode.c @@ -309,6 +309,7 @@ errcode_t ext2fs_inode_scan_goto_blockgroup(ext2_inode_scan scan, { scan->current_group = group - 1; scan->groups_left = scan->fs->group_desc_count - group; + scan->bad_block_ptr = 0; return get_next_blockgroup(scan); } @@ -332,6 +333,12 @@ static errcode_t check_for_inode_bad_blocks(ext2_inode_scan scan, if (blk == 0) return 0; + /* Make sure bad_block_ptr is still valid */ + if (scan->bad_block_ptr >= bb->num) { + scan->scan_flags &= ~EXT2_SF_CHK_BADBLOCKS; + return 0; + } + /* * If the current block is greater than the bad block listed * in the bad block list, then advance the pointer until this -- 1.8.3.1