lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20131204023600.GB15658@thunk.org> Date: Tue, 3 Dec 2013 21:36:00 -0500 From: Theodore Ts'o <tytso@....edu> To: Eryu Guan <guaneryu@...il.com> Cc: Lukáš Czerner <lczerner@...hat.com>, linux-ext4@...r.kernel.org Subject: [PATCH v3] ext4: check for overlapping extents in ext4_valid_extent_entries() On Wed, Oct 23, 2013 at 02:40:30AM +0800, Eryu Guan wrote: > A corrupted ext4 may have out of order leaf extents, i.e. > > extent: lblk 0--1023, len 1024, pblk 9217, flags: LEAF UNINIT > extent: lblk 1000--2047, len 1024, pblk 10241, flags: LEAF UNINIT > ^^^^ overlap with previous extent > > Reading such extent could hit BUG_ON() in ext4_es_cache_extent(). > > BUG_ON(end < lblk); > > The problem is that __read_extent_tree_block() tries to cache holes as > well but assumes 'lblk' is greater than 'prev' and passes underflowed > length to ext4_es_cache_extent(). Fix it by checking for overlapping > extents in ext4_valid_extent_entries(). > > I hit this when fuzz testing ext4, and am able to reproduce it by > modifying the on-disk extent by hand. > > Also add the check for (ee_block + len - 1) in ext4_valid_extent() to > make sure the value is not overflow. > > Ran xfstests on patched ext4 and no regression. > > Cc: "Theodore Ts'o" <tytso@....edu> > Cc: Lukáš Czerner <lczerner@...hat.com> > Signed-off-by: Eryu Guan <guaneryu@...il.com> Thanks, applied. - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists