lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 27 Jun 2018 13:02:24 +0300
From:   c17828 <artem.blagodarenko@...il.com>
To:     linux-ext4@...r.kernel.org
Cc:     adilger.kernel@...ger.ca, alexey.lyashkov@...il.com,
        Andreas Dilger <andreas.dilger@...el.com>,
        Artem Blagodarenko <artem.blagodarenko@...il.com>
Subject: [PATCH] e2fsck: improve in-inode xattr checks

From: Andreas Dilger <andreas.dilger@...el.com>

Add check for in-inode xattr to make sure that it is not referencing
an offset that is beyond the end of the inode.

Change-Id: I5d7c0cac9aebfdaba4e48b5144d51b764f42e1ad
Signed-off-by: Andreas Dilger <andreas.dilger@...el.com>
Signed-off-by: Artem Blagodarenko <artem.blagodarenko@...il.com>
---
 .gitignore       |  1 +
 e2fsck/pass1.c   | 11 +++++++++--
 e2fsck/problem.c |  4 ++++
 e2fsck/problem.h |  2 ++
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index cceaed6d..78460691 100644
--- a/.gitignore
+++ b/.gitignore
@@ -123,6 +123,7 @@ lib/ext2fs/tst_iscan
 lib/ext2fs/tst_libext2fs
 lib/ext2fs/tst_sha256
 lib/ext2fs/tst_sha512
+lib/ext2fs/tst_read_ea
 lib/ext2fs/tst_super_size
 lib/ext2fs/tst_types
 lib/quota/subdirs
diff --git a/e2fsck/pass1.c b/e2fsck/pass1.c
index 0fedb9a4..58fcdbec 100644
--- a/e2fsck/pass1.c
+++ b/e2fsck/pass1.c
@@ -500,8 +500,15 @@ static void check_ea_in_inode(e2fsck_t ctx, struct problem_context *pctx,
 				goto fix;
 			}
 
-			hash = ext2fs_ext_attr_hash_entry(entry,
-							  start + entry->e_value_offs);
+		/* Value size cannot be larger than EA space in inode */
+		if (entry->e_value_offs > storage_size ||
+		    entry->e_value_offs + entry->e_value_size > storage_size) {
+			problem = PR_1_INODE_EA_BAD_VALUE;
+			goto fix;
+		}
+
+		hash = ext2fs_ext_attr_hash_entry(entry,
+						  start + entry->e_value_offs);
 
 			/* e_hash may be 0 in older inode's ea */
 			if (entry->e_hash != 0 && entry->e_hash != hash) {
diff --git a/e2fsck/problem.c b/e2fsck/problem.c
index 37a0a3c4..365c522b 100644
--- a/e2fsck/problem.c
+++ b/e2fsck/problem.c
@@ -1166,6 +1166,10 @@ static struct e2fsck_problem problem_table[] = {
 	  N_("EA @i %N for parent @i %i missing EA_INODE flag.\n "),
 	  PROMPT_FIX, PR_PREEN_OK },
 
+	/* Bad extended attribute value in inode */
+	{ PR_1_INODE_EA_BAD_VALUE,
+	  N_("@a in @i %i is corrupt (@n value)."),
+	  PROMPT_CLEAR, 0},
 
 	/* Pass 1b errors */
 
diff --git a/e2fsck/problem.h b/e2fsck/problem.h
index 7c6f4ff8..e070a70b 100644
--- a/e2fsck/problem.h
+++ b/e2fsck/problem.h
@@ -688,6 +688,8 @@ struct problem_context {
 /* EA inode for parent inode does not have EXT4_EA_INODE_FL flag */
 #define PR_1_ATTR_SET_EA_INODE_FL		0x010086
 
+/* Bad extended attribute value in inode */
+#define PR_1_INODE_EA_BAD_VALUE		0x010087
 
 /*
  * Pass 1b errors
-- 
2.14.3

Powered by blists - more mailing lists