| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Jun 2022 00:24:40 -0400
From: "Theodore Ts'o" <tytso@....edu>
To: Ext4 Developers List <linux-ext4@...r.kernel.org>
Cc: Nils Bars <nils.bars@....de>,
Moritz Schlögel <moritz.schloegel@....de>,
Nico Schiller <nico.schiller@....de>,
"Theodore Ts'o" <tytso@....edu>
Subject: [PATCH 3/7] libext2fs: add check for too-short directory blocks
If there is an inline data directory which is smaller than 8 bytes
(which should never happen but for corrupted or fuzzed file systems),
ext2fs_process_dir_block() will now abort EXT2_ET_DIR_CORRUPTED to
avoid an out-of-bounds read.
Reported-by: Nils Bars <nils.bars@....de>
Reported-by: Moritz Schlögel <moritz.schloegel@....de>
Reported-by: Nico Schiller <nico.schiller@....de>
Signed-off-by: Theodore Ts'o <tytso@....edu>
---
lib/ext2fs/dir_iterate.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/ext2fs/dir_iterate.c b/lib/ext2fs/dir_iterate.c
index b2b77693..7798a482 100644
--- a/lib/ext2fs/dir_iterate.c
+++ b/lib/ext2fs/dir_iterate.c
@@ -221,6 +221,10 @@ int ext2fs_process_dir_block(ext2_filsys fs,
if (ext2fs_has_feature_metadata_csum(fs->super))
csum_size = sizeof(struct ext2_dir_entry_tail);
+ if (buflen < 8) {
+ ctx->errcode = EXT2_ET_DIR_CORRUPTED;
+ return BLOCK_ABORT;
+ }
while (offset < buflen - 8) {
dirent = (struct ext2_dir_entry *) (ctx->buf + offset);
if (ext2fs_get_rec_len(fs, dirent, &rec_len))
--
2.31.0
Powered by blists - more mailing lists