lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20180407051427.14883-1-tytso@mit.edu>
Date:   Sat,  7 Apr 2018 01:14:26 -0400
From:   Theodore Ts'o <tytso@....edu>
To:     Ext4 Developers List <linux-ext4@...r.kernel.org>
Cc:     Wen Xu <wen.xu@...ech.edu>, Theodore Ts'o <tytso@....edu>
Subject: [PATCH 1/2] libext2fs: add sanity checks for ea_in_inode

An inode containing the value for an extended attribute (aka an
ea_in_inode) must not have the INLINE_DATA flag and must have the
EA_INODE flag set.  Enforcing this prevents e2fsck and debugfs crashes
caused by a maliciously crafted file system containing an inode which
has both the EA_INODE and INLINE_DATA flags set, and where that inode
has an extended attribute whose e_value_inum points to itself.

Reported-by: Wen Xu <wen.xu@...ech.edu>
Signed-off-by: Theodore Ts'o <tytso@....edu>
---
 e2fsck/pass1.c            | 1 +
 lib/ext2fs/ext2_err.et.in | 3 +++
 lib/ext2fs/ext_attr.c     | 8 +++++++-
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/e2fsck/pass1.c b/e2fsck/pass1.c
index fccd8816a..69b3f09e7 100644
--- a/e2fsck/pass1.c
+++ b/e2fsck/pass1.c
@@ -1542,6 +1542,7 @@ void e2fsck_pass1(e2fsck_t ctx)
 			case EXT2_ET_NO_INLINE_DATA:
 			case EXT2_ET_EXT_ATTR_CSUM_INVALID:
 			case EXT2_ET_EA_BAD_VALUE_OFFSET:
+			case EXT2_ET_EA_INODE_CORRUPTED:
 				/* broken EA or no system.data EA; truncate */
 				if (fix_problem(ctx, PR_1_INLINE_DATA_NO_ATTR,
 						&pctx)) {
diff --git a/lib/ext2fs/ext2_err.et.in b/lib/ext2fs/ext2_err.et.in
index ac96964d9..16abd23d8 100644
--- a/lib/ext2fs/ext2_err.et.in
+++ b/lib/ext2fs/ext2_err.et.in
@@ -542,4 +542,7 @@ ec	EXT2_ET_CORRUPT_JOURNAL_SB,
 ec	EXT2_ET_INODE_CORRUPTED,
 	"Inode is corrupted"
 
+ec	EXT2_ET_EA_INODE_CORRUPTED,
+	"Inode containing extended attribute value is corrupted"
+
 	end
diff --git a/lib/ext2fs/ext_attr.c b/lib/ext2fs/ext_attr.c
index 89c5f2cb6..81b067ad5 100644
--- a/lib/ext2fs/ext_attr.c
+++ b/lib/ext2fs/ext_attr.c
@@ -903,6 +903,7 @@ static errcode_t read_xattrs_from_buffer(struct ext2_xattr_handle *handle,
 			memcpy(x->value, value_start + entry->e_value_offs,
 			       entry->e_value_size);
 		} else {
+			struct ext2_inode *ea_inode;
 			ext2_file_t ea_file;
 
 			if (entry->e_value_offs != 0)
@@ -920,7 +921,12 @@ static errcode_t read_xattrs_from_buffer(struct ext2_xattr_handle *handle,
 			if (err)
 				return err;
 
-			if (ext2fs_file_get_size(ea_file) !=
+			ea_inode = ext2fs_file_get_inode(ea_file);
+			if ((ea_inode->i_flags & EXT4_INLINE_DATA_FL) ||
+			    !(ea_inode->i_flags & EXT4_EA_INODE_FL) ||
+			    ea_inode->i_links_count == 0)
+				err = EXT2_ET_EA_INODE_CORRUPTED;
+			else if (ext2fs_file_get_size(ea_file) !=
 			    entry->e_value_size)
 				err = EXT2_ET_EA_BAD_VALUE_SIZE;
 			else
-- 
2.16.1.72.g5be1f00a9a

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ