libext2fs: fix potential memory access overrun in ext2fs_inode_csum()

If the superblock has a revision level of 0, then s_inode_size is
undefined, and the actual inode size is 128 bytes.  This is handled by
the EXT2_INODE_SIZE() helper macro.  If s_inode_size is maliciously
set to a large value, and the s_rev_level is 0, then this could result
in an illegal memory pointer dereference.

Addresses-Debian-Bug: #878104
Reported-by: Jakub Wilk <jwilk@jwilk.net>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/lib/ext2fs/csum.c b/lib/ext2fs/csum.c
index e67850f..093da04 100644 (file)
--- a/lib/ext2fs/csum.c
+++ b/lib/ext2fs/csum.c
@@ -632,7 +632,7 @@ static errcode_t ext2fs_inode_csum(ext2_filsys fs, ext2_ino_t inum,
 {
        __u32 gen;
        struct ext2_inode_large *desc = inode;
-       size_t size = fs->super->s_inode_size;
+       size_t size = EXT2_INODE_SIZE(fs->super);
        __u16 old_lo;
        __u16 old_hi = 0;