libext2fs: check for cyclic loops in the extent tree

In the extent tree handling code in libext2fs, when we go move down
the extent tree, if a cyclic loop is detected, return an error.

Reported-by: Nils Bars <nils.bars@rub.de>
Reported-by: Moritz Schlögel <moritz.schloegel@rub.de>
Reported-by: Nico Schiller <nico.schiller@rub.de>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/lib/ext2fs/ext2_err.et.in b/lib/ext2fs/ext2_err.et.in
index cf0e00e..bb1dcf1 100644 (file)
--- a/lib/ext2fs/ext2_err.et.in
+++ b/lib/ext2fs/ext2_err.et.in
@@ -551,4 +551,7 @@ ec  EXT2_ET_NO_GDESC,
 ec     EXT2_FILSYS_CORRUPTED,
        "The internal ext2_filsys data structure appears to be corrupted"
 
+ec     EXT2_ET_EXTENT_CYCLE,
+       "Found cyclic loop in extent tree"
+
        end

diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c
index 1a206a1..82e75cc 100644 (file)
--- a/lib/ext2fs/extent.c
+++ b/lib/ext2fs/extent.c
@@ -47,6 +47,7 @@ struct extent_path {
        int             visit_num;
        int             flags;
        blk64_t         end_blk;
+       blk64_t         blk;
        void            *curr;
 };
 
@@ -286,6 +287,7 @@ errcode_t ext2fs_extent_open2(ext2_filsys fs, ext2_ino_t ino,
        handle->path[0].end_blk =
                (EXT2_I_SIZE(handle->inode) + fs->blocksize - 1) >>
                 EXT2_BLOCK_SIZE_BITS(fs->super);
+       handle->path[0].blk = 0;
        handle->path[0].visit_num = 1;
        handle->level = 0;
        handle->magic = EXT2_ET_MAGIC_EXTENT_HANDLE;
@@ -305,14 +307,14 @@ errout:
 errcode_t ext2fs_extent_get(ext2_extent_handle_t handle,
                            int flags, struct ext2fs_extent *extent)
 {
-       struct extent_path      *path, *newpath;
+       struct extent_path      *path, *newpath, *tp;
        struct ext3_extent_header       *eh;
        struct ext3_extent_idx          *ix = 0;
        struct ext3_extent              *ex;
        errcode_t                       retval;
        blk64_t                         blk;
        blk64_t                         end_blk;
-       int                             orig_op, op;
+       int                             orig_op, op, l;
        int                             failed_csum = 0;
 
        EXT2_CHECK_MAGIC(handle, EXT2_ET_MAGIC_EXTENT_HANDLE);
@@ -467,6 +469,11 @@ retry:
                }
                blk = ext2fs_le32_to_cpu(ix->ei_leaf) +
                        ((__u64) ext2fs_le16_to_cpu(ix->ei_leaf_hi) << 32);
+               for (l = handle->level, tp = path; l > 0; l--, tp--) {
+                       if (blk == tp->blk)
+                               return EXT2_ET_EXTENT_CYCLE;
+               }
+               newpath->blk = blk;
                if ((handle->fs->flags & EXT2_FLAG_IMAGE_FILE) &&
                    (handle->fs->io != handle->fs->image_io))
                        memset(newpath->buf, 0, handle->fs->blocksize);