lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20140805010517.2611.2402.stgit@birch.djwong.org>
Date:	Mon, 04 Aug 2014 18:05:17 -0700
From:	"Darrick J. Wong" <darrick.wong@...cle.com>
To:	tytso@....edu, darrick.wong@...cle.com
Cc:	linux-ext4@...r.kernel.org
Subject: [PATCH 03/21] libext2fs: check EA value offset

Perform a little more sanity checking of EA value offsets so that we
don't crash while trying to load things from the filesystem.

Signed-off-by: Darrick J. Wong <darrick.wong@...cle.com>
---
 lib/ext2fs/ext2_err.et.in |    3 +++
 lib/ext2fs/ext_attr.c     |    5 +++++
 2 files changed, 8 insertions(+)


diff --git a/lib/ext2fs/ext2_err.et.in b/lib/ext2fs/ext2_err.et.in
index 2194a18..6b6d8b8 100644
--- a/lib/ext2fs/ext2_err.et.in
+++ b/lib/ext2fs/ext2_err.et.in
@@ -518,4 +518,7 @@ ec	EXT2_ET_MAGIC_EA_HANDLE,
 ec	EXT2_ET_INODE_IS_GARBAGE,
 	"Inode seems to contain garbage"
 
+ec	EXT2_ET_EA_BAD_VALUE_OFFSET,
+	"Extended attribute has an invalid value offset"
+
 	end
diff --git a/lib/ext2fs/ext_attr.c b/lib/ext2fs/ext_attr.c
index f3fba96..96530f8 100644
--- a/lib/ext2fs/ext_attr.c
+++ b/lib/ext2fs/ext_attr.c
@@ -624,6 +624,8 @@ static errcode_t read_xattrs_from_buffer(struct ext2_xattr_handle *handle,
 	void *ptr;
 	unsigned int remain, prefix_len;
 	errcode_t err;
+	unsigned int values_size = storage_size +
+			((char *)entries - (char *)value_start);
 
 	x = handle->attrs;
 	while (x->name)
@@ -648,6 +650,9 @@ static errcode_t read_xattrs_from_buffer(struct ext2_xattr_handle *handle,
 		if (entry->e_value_size > remain)
 			return EXT2_ET_EA_BAD_VALUE_SIZE;
 
+		if (entry->e_value_offs + entry->e_value_size > values_size)
+			return EXT2_ET_EA_BAD_VALUE_OFFSET;
+
 		/* e_value_block must be 0 in inode's ea */
 		if (entry->e_value_block != 0)
 			return EXT2_ET_BAD_EA_BLOCK_NUM;

--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ