lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220421173148.20193-1-lczerner@redhat.com>
Date:   Thu, 21 Apr 2022 19:31:48 +0200
From:   Lukas Czerner <lczerner@...hat.com>
To:     linux-ext4@...r.kernel.org
Cc:     tytso@....edu, Nils Bars <nils_bars@...nline.de>
Subject: [PATCH] e2fsprogs: add sanity check to extent manipulation

It is possible to have a corrupted extent tree in such a way that a leaf
node contains zero extents in it. Currently if that happens and we try
to traverse the tree we can end up accessing wrong data, or possibly
even uninitialized memory. Make sure we don't do that.

Additionally make sure that we have a sane number of bytes passed to
memmove() in ext2fs_extent_delete().

Note that e2fsck is currently unable to spot and fix such corruption in
pass1.

Signed-off-by: Lukas Czerner <lczerner@...hat.com>
Reported-by: Nils Bars <nils_bars@...nline.de>
Addressess: https://bugzilla.redhat.com/show_bug.cgi?id=2068113
---
 lib/ext2fs/extent.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c
index b324c7b0..1a206a16 100644
--- a/lib/ext2fs/extent.c
+++ b/lib/ext2fs/extent.c
@@ -495,6 +495,10 @@ retry:
 			ext2fs_le16_to_cpu(eh->eh_entries);
 		newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max);
 
+		/* Make sure there is at least one extent present */
+		if (newpath->left <= 0)
+			return EXT2_ET_EXTENT_NO_DOWN;
+
 		if (path->left > 0) {
 			ix++;
 			newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block);
@@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags)
 
 	cp = path->curr;
 
+	/* Sanity check before memmove() */
+	if (path->left < 0)
+		return EXT2_ET_EXTENT_LEAF_BAD;
+
 	if (path->left) {
 		memmove(cp, cp + sizeof(struct ext3_extent_idx),
 			path->left * sizeof(struct ext3_extent_idx));
-- 
2.35.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ