| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Jun 2022 00:24:38 -0400
From: "Theodore Ts'o" <tytso@....edu>
To: Ext4 Developers List <linux-ext4@...r.kernel.org>
Cc: Nils Bars <nils.bars@....de>,
Moritz Schlögel <moritz.schloegel@....de>,
Nico Schiller <nico.schiller@....de>,
"Theodore Ts'o" <tytso@....edu>
Subject: [PATCH 1/7] e2fsck: sanity check the journal inode number
E2fsck replays the journal before sanity checking the full superblock.
So it's possible that the journal inode number is not valid relative
to the number of block groups. So to avoid potentially an array
bounds overrun, sanity check this before trying to find the journal
inode.
Reported-by: Nils Bars <nils.bars@....de>
Reported-by: Moritz Schlögel <moritz.schloegel@....de>
Reported-by: Nico Schiller <nico.schiller@....de>
Signed-off-by: Theodore Ts'o <tytso@....edu>
---
e2fsck/journal.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/e2fsck/journal.c b/e2fsck/journal.c
index 2e867234..12487e3d 100644
--- a/e2fsck/journal.c
+++ b/e2fsck/journal.c
@@ -989,7 +989,14 @@ static errcode_t e2fsck_get_journal(e2fsck_t ctx, journal_t **ret_journal)
journal->j_blocksize = ctx->fs->blocksize;
if (uuid_is_null(sb->s_journal_uuid)) {
- if (!sb->s_journal_inum) {
+ /*
+ * The full set of superblock sanity checks haven't
+ * been performed yet, so we need to do some basic
+ * checks here to avoid potential array overruns.
+ */
+ if (!sb->s_journal_inum ||
+ (sb->s_journal_inum >
+ (ctx->fs->group_desc_count * sb->s_inodes_per_group))) {
retval = EXT2_ET_BAD_INODE_NUM;
goto errout;
}
--
2.31.0
Powered by blists - more mailing lists