lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Jun 2020 11:29:48 +0900 From: Wang Shilong <wangshilong1991@...il.com> To: linux-ext4@...r.kernel.org Cc: ebiggers@...nel.org, Wang Shilong <wshilong@....com> Subject: [PATCH v3] ext2fs: fix to avoid invalid memory access From: Wang Shilong <wshilong@....com> Valgrind reported error messages like following: ==129205== Address 0x1b804b04 is 4 bytes after a block of size 4,096 alloc'd ==129205== at 0x483980B: malloc (vg_replace_malloc.c:307) ==129205== by 0x44F973: ext2fs_get_mem (ext2fs.h:1846) ==129205== by 0x44F973: ext2fs_get_pathname (get_pathname.c:162) ==129205== by 0x430917: print_pathname (message.c:212) ==129205== by 0x430FB1: expand_percent_expression (message.c:462) ==129205== by 0x430FB1: print_e2fsck_message (message.c:544) ==129205== by 0x430BED: expand_at_expression (message.c:262) ==129205== by 0x430BED: print_e2fsck_message (message.c:528) ==129205== by 0x430450: fix_problem (problem.c:2494) ==129205== by 0x423F8B: e2fsck_process_bad_inode (pass2.c:1929) ==129205== by 0x425AE8: check_dir_block (pass2.c:1407) ==129205== by 0x426942: check_dir_block2 (pass2.c:961) ==129205== by 0x445736: ext2fs_dblist_iterate3.part.0 (dblist.c:254) ==129205== by 0x423835: e2fsck_pass2 (pass2.c:187) ==129205== by 0x414B19: e2fsck_run (e2fsck.c:257) Dir block might be corrupted and cause the next dirent is out of block size boundary, even though we have the check to avoid problem, memory check tools like valgrind still complains it. Patch try to fix the problem by checking if offset exceed max offset firstly before getting the pointer. Signed-off-by: Wang Shilong <wshilong@....com> --- v2->v3: fixed patch title v1->v2: kept same return value for corruption case as before. --- lib/ext2fs/csum.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/lib/ext2fs/csum.c b/lib/ext2fs/csum.c index c2550365..417a1fba 100644 --- a/lib/ext2fs/csum.c +++ b/lib/ext2fs/csum.c @@ -266,16 +266,14 @@ static errcode_t __get_dirent_tail(ext2_filsys fs, d = dirent; top = EXT2_DIRENT_TAIL(dirent, fs->blocksize); - rec_len = translate(d->rec_len); while ((void *) d < top) { - if ((rec_len < 8) || (rec_len & 0x03)) + rec_len = translate(d->rec_len); + if ((rec_len < 8) || (rec_len & 0x03) || + (rec_len > (char *)dirent + fs->blocksize - (char *)d)) return EXT2_ET_DIR_CORRUPTED; d = (struct ext2_dir_entry *)(((char *)d) + rec_len); - rec_len = translate(d->rec_len); } - if ((char *)d > ((char *)dirent + fs->blocksize)) - return EXT2_ET_DIR_CORRUPTED; if (d != top) return EXT2_ET_DIR_NO_SPACE_FOR_CSUM; -- 2.25.4
Powered by blists - more mailing lists