lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20191230170628.GB125106@mit.edu>
Date:   Mon, 30 Dec 2019 12:06:28 -0500
From:   "Theodore Y. Ts'o" <tytso@....edu>
To:     Wang Shilong <wangshilong1991@...il.com>
Cc:     linux-ext4@...r.kernel.org, adilger@...ger.ca, lixi@....com,
        wshilong@....com
Subject: Re: [PATCH 2/2] e2fsck: fix use after free in calculate_tree()

On Tue, Nov 26, 2019 at 06:03:59PM +0900, Wang Shilong wrote:
> @@ -725,12 +728,18 @@ static errcode_t calculate_tree(ext2_filsys fs,
>  					return retval;
>  			}
>  			if (c3 == 0) {
> +				int delta1 = int_offset;;
> +				int delta2 = (char *)root - outdir->buf;
> +
>  				retval = alloc_blocks(fs, &limit, &int_ent,
>  						      &dx_ent, &int_offset,
>  						      NULL, outdir, i, &c2,
>  						      &c3);
>  				if (retval)
>  					return retval;
> +				/* outdir->buf might be reallocated */
> +				int_limit = (struct ext2_dx_countlimit *)(outdir->buf + delta1);
> +				root = (struct ext2_dx_entry *)(outdir->buf + delta2);
>  
>  			}
>  			dx_ent->block = ext2fs_cpu_to_le32(i);

Um, are you sure

				int delta1 = int_offset;;

is correct?  I would think
				int delta1 = (char *)int_limit - outdir->buf;

is what is needed; it's certainly much more clear.

   	   	   		       	    - Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ