lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200618195849.GE2957@sol.localdomain> Date: Thu, 18 Jun 2020 12:58:49 -0700 From: Eric Biggers <ebiggers@...nel.org> To: Wang Shilong <wangshilong1991@...il.com> Cc: linux-ext4@...r.kernel.org, Wang Shilong <wshilong@....com> Subject: Re: [PATCH] ext2fs: fix to avoid invalid memory access On Fri, Jun 19, 2020 at 12:16:03AM +0900, Wang Shilong wrote: > From: Wang Shilong <wshilong@....com> > > Valgrind reported error messages like following: > > ==129205== Address 0x1b804b04 is 4 bytes after a block of size 4,096 alloc'd > ==129205== at 0x483980B: malloc (vg_replace_malloc.c:307) > ==129205== by 0x44F973: ext2fs_get_mem (ext2fs.h:1846) > ==129205== by 0x44F973: ext2fs_get_pathname (get_pathname.c:162) > ==129205== by 0x430917: print_pathname (message.c:212) > ==129205== by 0x430FB1: expand_percent_expression (message.c:462) > ==129205== by 0x430FB1: print_e2fsck_message (message.c:544) > ==129205== by 0x430BED: expand_at_expression (message.c:262) > ==129205== by 0x430BED: print_e2fsck_message (message.c:528) > ==129205== by 0x430450: fix_problem (problem.c:2494) > ==129205== by 0x423F8B: e2fsck_process_bad_inode (pass2.c:1929) > ==129205== by 0x425AE8: check_dir_block (pass2.c:1407) > ==129205== by 0x426942: check_dir_block2 (pass2.c:961) > ==129205== by 0x445736: ext2fs_dblist_iterate3.part.0 (dblist.c:254) > ==129205== by 0x423835: e2fsck_pass2 (pass2.c:187) > ==129205== by 0x414B19: e2fsck_run (e2fsck.c:257) > > Dir block might be corrupted and cause the next dirent is out > of block size boundary, even though we have the check to avoid > problem, memory check tools like valgrind still complains it. > > Patch try to fix the problem by checking if offset exceed max > offset firstly before getting the pointer. > > Signed-off-by: Wang Shilong <wshilong@....com> > --- > lib/ext2fs/csum.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/lib/ext2fs/csum.c b/lib/ext2fs/csum.c > index c2550365..643777fd 100644 > --- a/lib/ext2fs/csum.c > +++ b/lib/ext2fs/csum.c > @@ -260,22 +260,24 @@ static errcode_t __get_dirent_tail(ext2_filsys fs, > void *top; > struct ext2_dir_entry_tail *t; > unsigned int rec_len; > + unsigned int max_len; > errcode_t retval = 0; > __u16 (*translate)(__u16) = (need_swab ? disk_to_host16 : do_nothing16); > > d = dirent; > top = EXT2_DIRENT_TAIL(dirent, fs->blocksize); > > + max_len = (char *)top - (char *)dirent; > rec_len = translate(d->rec_len); > while ((void *) d < top) { > if ((rec_len < 8) || (rec_len & 0x03)) > return EXT2_ET_DIR_CORRUPTED; > + if ((char *)d - (char *)dirent + rec_len > max_len) > + return EXT2_ET_DIR_CORRUPTED; > d = (struct ext2_dir_entry *)(((char *)d) + rec_len); > rec_len = translate(d->rec_len); > } > > - if ((char *)d > ((char *)dirent + fs->blocksize)) > - return EXT2_ET_DIR_CORRUPTED; > if (d != top) > return EXT2_ET_DIR_NO_SPACE_FOR_CSUM; This looks buggy. Previously this returned EXT2_ET_DIR_NO_SPACE_FOR_CSUM if the last dirent extends beyond where the metadata checksum entry is supposed to begin, but doesn't exceed fs->blocksize. But your change makes it return EXT2_ET_DIR_CORRUPTED in that case, which is potentially a regression. How about: diff --git a/lib/ext2fs/csum.c b/lib/ext2fs/csum.c index 54b53a3c..0dbb4963 100644 --- a/lib/ext2fs/csum.c +++ b/lib/ext2fs/csum.c @@ -266,16 +266,14 @@ static errcode_t __get_dirent_tail(ext2_filsys fs, d = dirent; top = EXT2_DIRENT_TAIL(dirent, fs->blocksize); - rec_len = translate(d->rec_len); while ((void *) d < top) { - if ((rec_len < 8) || (rec_len & 0x03)) + rec_len = translate(d->rec_len); + if ((rec_len < 8) || (rec_len & 0x03) || + (rec_len > (char *)dirent + fs->blocksize - (char *)d)) return EXT2_ET_DIR_CORRUPTED; d = (struct ext2_dir_entry *)(((char *)d) + rec_len); - rec_len = translate(d->rec_len); } - if ((char *)d > ((char *)dirent + fs->blocksize)) - return EXT2_ET_DIR_CORRUPTED; if (d != top) return EXT2_ET_DIR_NO_SPACE_FOR_CSUM;
Powered by blists - more mailing lists