lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20200618195849.GE2957@sol.localdomain>
Date:   Thu, 18 Jun 2020 12:58:49 -0700
From:   Eric Biggers <ebiggers@...nel.org>
To:     Wang Shilong <wangshilong1991@...il.com>
Cc:     linux-ext4@...r.kernel.org, Wang Shilong <wshilong@....com>
Subject: Re: [PATCH] ext2fs: fix to avoid invalid memory access

On Fri, Jun 19, 2020 at 12:16:03AM +0900, Wang Shilong wrote:
> From: Wang Shilong <wshilong@....com>
> 
> Valgrind reported error messages like following:
> 
> ==129205==  Address 0x1b804b04 is 4 bytes after a block of size 4,096 alloc'd
> ==129205==    at 0x483980B: malloc (vg_replace_malloc.c:307)
> ==129205==    by 0x44F973: ext2fs_get_mem (ext2fs.h:1846)
> ==129205==    by 0x44F973: ext2fs_get_pathname (get_pathname.c:162)
> ==129205==    by 0x430917: print_pathname (message.c:212)
> ==129205==    by 0x430FB1: expand_percent_expression (message.c:462)
> ==129205==    by 0x430FB1: print_e2fsck_message (message.c:544)
> ==129205==    by 0x430BED: expand_at_expression (message.c:262)
> ==129205==    by 0x430BED: print_e2fsck_message (message.c:528)
> ==129205==    by 0x430450: fix_problem (problem.c:2494)
> ==129205==    by 0x423F8B: e2fsck_process_bad_inode (pass2.c:1929)
> ==129205==    by 0x425AE8: check_dir_block (pass2.c:1407)
> ==129205==    by 0x426942: check_dir_block2 (pass2.c:961)
> ==129205==    by 0x445736: ext2fs_dblist_iterate3.part.0 (dblist.c:254)
> ==129205==    by 0x423835: e2fsck_pass2 (pass2.c:187)
> ==129205==    by 0x414B19: e2fsck_run (e2fsck.c:257)
> 
> Dir block might be corrupted and cause the next dirent is out
> of block size boundary, even though we have the check to avoid
> problem, memory check tools like valgrind still complains it.
> 
> Patch try to fix the problem by checking if offset exceed max
> offset firstly before getting the pointer.
> 
> Signed-off-by: Wang Shilong <wshilong@....com>
> ---
>  lib/ext2fs/csum.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/lib/ext2fs/csum.c b/lib/ext2fs/csum.c
> index c2550365..643777fd 100644
> --- a/lib/ext2fs/csum.c
> +++ b/lib/ext2fs/csum.c
> @@ -260,22 +260,24 @@ static errcode_t __get_dirent_tail(ext2_filsys fs,
>  	void *top;
>  	struct ext2_dir_entry_tail *t;
>  	unsigned int rec_len;
> +	unsigned int max_len;
>  	errcode_t retval = 0;
>  	__u16 (*translate)(__u16) = (need_swab ? disk_to_host16 : do_nothing16);
>  
>  	d = dirent;
>  	top = EXT2_DIRENT_TAIL(dirent, fs->blocksize);
>  
> +	max_len = (char *)top - (char *)dirent;
>  	rec_len = translate(d->rec_len);
>  	while ((void *) d < top) {
>  		if ((rec_len < 8) || (rec_len & 0x03))
>  			return EXT2_ET_DIR_CORRUPTED;
> +		if ((char *)d - (char *)dirent + rec_len > max_len)
> +			return EXT2_ET_DIR_CORRUPTED;
>  		d = (struct ext2_dir_entry *)(((char *)d) + rec_len);
>  		rec_len = translate(d->rec_len);
>  	}
>  
> -	if ((char *)d > ((char *)dirent + fs->blocksize))
> -			return EXT2_ET_DIR_CORRUPTED;
>  	if (d != top)
>  		return EXT2_ET_DIR_NO_SPACE_FOR_CSUM;

This looks buggy.  Previously this returned EXT2_ET_DIR_NO_SPACE_FOR_CSUM if the
last dirent extends beyond where the metadata checksum entry is supposed to
begin, but doesn't exceed fs->blocksize.  But your change makes it return
EXT2_ET_DIR_CORRUPTED in that case, which is potentially a regression.

How about:

diff --git a/lib/ext2fs/csum.c b/lib/ext2fs/csum.c
index 54b53a3c..0dbb4963 100644
--- a/lib/ext2fs/csum.c
+++ b/lib/ext2fs/csum.c
@@ -266,16 +266,14 @@ static errcode_t __get_dirent_tail(ext2_filsys fs,
 	d = dirent;
 	top = EXT2_DIRENT_TAIL(dirent, fs->blocksize);
 
-	rec_len = translate(d->rec_len);
 	while ((void *) d < top) {
-		if ((rec_len < 8) || (rec_len & 0x03))
+		rec_len = translate(d->rec_len);
+		if ((rec_len < 8) || (rec_len & 0x03) ||
+		    (rec_len > (char *)dirent + fs->blocksize - (char *)d))
 			return EXT2_ET_DIR_CORRUPTED;
 		d = (struct ext2_dir_entry *)(((char *)d) + rec_len);
-		rec_len = translate(d->rec_len);
 	}
 
-	if ((char *)d > ((char *)dirent + fs->blocksize))
-			return EXT2_ET_DIR_CORRUPTED;
 	if (d != top)
 		return EXT2_ET_DIR_NO_SPACE_FOR_CSUM;
 

Powered by blists - more mailing lists