| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20230317091716.4150992-4-yi.zhang@huaweicloud.com>
Date: Fri, 17 Mar 2023 17:17:16 +0800
From: Zhang Yi <yi.zhang@...weicloud.com>
To: linux-ext4@...r.kernel.org
Cc: tytso@....edu, adilger.kernel@...ger.ca, jack@...e.cz,
yi.zhang@...wei.com, yi.zhang@...weicloud.com, yukuai3@...wei.com
Subject: [PATCH v2 3/3] debugfs/e2fsck: check bad s_head block number
From: Zhang Yi <yi.zhang@...wei.com>
Check s_head in the journal superblock and fix it if this value is out
of bounds.
Signed-off-by: Zhang Yi <yi.zhang@...wei.com>
---
debugfs/journal.c | 5 +++++
e2fsck/journal.c | 9 +++++++++
2 files changed, 14 insertions(+)
diff --git a/debugfs/journal.c b/debugfs/journal.c
index 5bc7552d..1eef3bca 100644
--- a/debugfs/journal.c
+++ b/debugfs/journal.c
@@ -631,6 +631,11 @@ static errcode_t ext2fs_journal_load(journal_t *journal)
else if (ntohl(jsb->s_maxlen) > journal->j_total_len)
return EXT2_ET_CORRUPT_JOURNAL_SB;
+ if (jsb->s_head != 0 &&
+ (ntohl(jsb->s_head) < ntohl(jsb->s_first) ||
+ ntohl(jsb->s_head) >= journal->j_total_len))
+ return EXT2_ET_CORRUPT_JOURNAL_SB;
+
journal->j_tail_sequence = ntohl(jsb->s_sequence);
journal->j_transaction_sequence = journal->j_tail_sequence;
journal->j_tail = ntohl(jsb->s_start);
diff --git a/e2fsck/journal.c b/e2fsck/journal.c
index 8950446f..4b9f00ce 100644
--- a/e2fsck/journal.c
+++ b/e2fsck/journal.c
@@ -1374,6 +1374,15 @@ static errcode_t e2fsck_journal_load(journal_t *journal)
return EXT2_ET_CORRUPT_JOURNAL_SB;
}
+ if (jsb->s_head != 0 &&
+ (ntohl(jsb->s_head) < ntohl(jsb->s_first) ||
+ ntohl(jsb->s_head) >= journal->j_total_len)) {
+ com_err(ctx->program_name, EXT2_ET_CORRUPT_JOURNAL_SB,
+ _("%s, journal head out of bounds\n"),
+ ctx->device_name);
+ return EXT2_ET_CORRUPT_JOURNAL_SB;
+ }
+
journal->j_tail_sequence = ntohl(jsb->s_sequence);
journal->j_transaction_sequence = journal->j_tail_sequence;
journal->j_tail = ntohl(jsb->s_start);
--
2.31.1
Powered by blists - more mailing lists