e2fsck: sanity check the journal inode number

E2fsck replays the journal before sanity checking the full superblock. So it's possible that the journal inode number is not valid relative to the number of block groups. So to avoid potentially an array bounds overrun, sanity check this before trying to find the journal inode. Reported-by: Nils Bars <nils.bars@rub.de> Reported-by: Moritz Schlögel <moritz.schloegel@rub.de> Reported-by: Nico Schiller <nico.schiller@rub.de> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
author: Theodore Ts'o <tytso@mit.edu> 2022-05-30 19:17:30 -0400
committer: Theodore Ts'o <tytso@mit.edu> 2022-05-30 19:17:30 -0400
commit: 40196f3b493a55728f8f3a6591d52867ef613e3c (patch)
tree: 57100221bc139d93b68bf7ff0f14e99d7ad1d91f
parent: ed54397b414def44d8ef11b4e320d9809d5fa294 (diff)
download: e2fsprogs-40196f3b493a55728f8f3a6591d52867ef613e3c.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/e2fsck/journal.c b/e2fsck/journal.c
index 2e867234b..12487e3d8 100644
--- a/e2fsck/journal.c
+++ b/e2fsck/journal.c
@@ -989,7 +989,14 @@ static errcode_t e2fsck_get_journal(e2fsck_t ctx, journal_t **ret_journal)
 	journal->j_blocksize = ctx->fs->blocksize;
 
 	if (uuid_is_null(sb->s_journal_uuid)) {
-		if (!sb->s_journal_inum) {
+		/*
+		 * The full set of superblock sanity checks haven't
+		 * been performed yet, so we need to do some basic
+		 * checks here to avoid potential array overruns.
+		 */
+		if (!sb->s_journal_inum ||
+		    (sb->s_journal_inum >
+		     (ctx->fs->group_desc_count * sb->s_inodes_per_group))) {
 			retval = EXT2_ET_BAD_INODE_NUM;
 			goto errout;
 		}
author	Theodore Ts'o <tytso@mit.edu>	2022-05-30 19:17:30 -0400
committer	Theodore Ts'o <tytso@mit.edu>	2022-05-30 19:17:30 -0400
commit	40196f3b493a55728f8f3a6591d52867ef613e3c (patch)
tree	57100221bc139d93b68bf7ff0f14e99d7ad1d91f
parent	ed54397b414def44d8ef11b4e320d9809d5fa294 (diff)
download	e2fsprogs-40196f3b493a55728f8f3a6591d52867ef613e3c.tar.gz