| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 23 Jul 2017 00:50:34 -0400
From: Theodore Ts'o <tytso@....edu>
To: Ext4 Developers List <linux-ext4@...r.kernel.org>
Cc: abuchbinder@...gle.com, Theodore Ts'o <tytso@....edu>
Subject: [PATCH 4/5] debugfs: add sanity checking to the string_to_inode() utility function
Otherwise it's possible for a corrupt file system or bad user input to
cause debugfs to crash if the resulting inode number is insanely
large.
This problem was found using American Fuzzy Lop.
Reported-by: Adam Buchbinder <abuchbinder@...gle.com>
Signed-off-by: Theodore Ts'o <tytso@....edu>
---
debugfs/util.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/debugfs/util.c b/debugfs/util.c
index bd5de79e4..5f101f48d 100644
--- a/debugfs/util.c
+++ b/debugfs/util.c
@@ -119,7 +119,7 @@ ext2_ino_t string_to_inode(char *str)
*/
if ((len > 2) && (str[0] == '<') && (str[len-1] == '>')) {
ino = strtoul(str+1, &end, 0);
- if (*end=='>')
+ if (*end=='>' && (ino <= current_fs->super->s_inodes_count))
return ino;
}
@@ -128,6 +128,11 @@ ext2_ino_t string_to_inode(char *str)
com_err(str, retval, 0);
return 0;
}
+ if (ino > current_fs->super->s_inodes_count) {
+ com_err(str, 0, "resolves to an illegal inode number: %u\n",
+ ino);
+ return 0;
+ }
return ino;
}
--
2.11.0.rc0.7.gbe5a750
Powered by blists - more mailing lists