lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250717145933.GI2672022@frogsfrogsfrogs>
Date: Thu, 17 Jul 2025 07:59:33 -0700
From: "Darrick J. Wong" <djwong@...nel.org>
To: tytso@....edu
Cc: linux-ext4@...r.kernel.org
Subject: [PATCH 14/8] libext2fs: fix data read corruption in
 ext2fs_file_read_inline_data

From: Darrick J. Wong <djwong@...nel.org>

Fix numerous problems in the function that reads data from an inlinedata
file:

 - Reads starting after isize should be returned as short reads.
 - Reads past the end of the inline data should return zeroes.
 - Reads from the inline data buffer must not exceed isize.

Cc: <linux-ext4@...r.kernel.org> # v1.43
Fixes: 54e880b870f7fe ("libext2fs: handle inline data in read/write function")
Signed-off-by: "Darrick J. Wong" <djwong@...nel.org>
---
 lib/ext2fs/fileio.c |   22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/lib/ext2fs/fileio.c b/lib/ext2fs/fileio.c
index 818f7f05420029..900002c5295682 100644
--- a/lib/ext2fs/fileio.c
+++ b/lib/ext2fs/fileio.c
@@ -255,18 +255,26 @@ ext2fs_file_read_inline_data(ext2_file_t file, void *buf,
 			     unsigned int wanted, unsigned int *got)
 {
 	ext2_filsys fs;
-	errcode_t retval;
+	errcode_t retval = 0;
 	unsigned int count = 0;
+	uint64_t isize = EXT2_I_SIZE(&file->inode);
 	size_t size;
 
+	if (file->pos >= isize)
+		goto out;
+
 	fs = file->fs;
 	retval = ext2fs_inline_data_get(fs, file->ino, &file->inode,
 					file->buf, &size);
 	if (retval)
 		return retval;
 
-	if (file->pos >= size)
-		goto out;
+	/*
+	 * size is the number of bytes available for inline data storage, which
+	 * means it can exceed isize.
+	 */
+	if (size > isize)
+		size = isize;
 
 	count = size - file->pos;
 	if (count > wanted)
@@ -275,6 +283,14 @@ ext2fs_file_read_inline_data(ext2_file_t file, void *buf,
 	file->pos += count;
 	buf = (char *) buf + count;
 
+	/* zero-fill the rest of the buffer */
+	wanted -= count;
+	if (wanted > 0) {
+		memset(buf, 0, wanted);
+		file->pos += wanted;
+		count += wanted;
+	}
+
 out:
 	if (got)
 		*got = count;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ