diff options
author | Theodore Ts'o <tytso@mit.edu> | 2022-06-06 11:39:23 -0400 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2022-06-06 11:39:23 -0400 |
commit | 1052048fb8f4ddcc0160eb670ef746ef7ee505a4 (patch) | |
tree | 3dfe089ae5c774f13df3cb417dbf96d3226fa840 | |
parent | 40196f3b493a55728f8f3a6591d52867ef613e3c (diff) | |
download | e2fsprogs-1052048fb8f4ddcc0160eb670ef746ef7ee505a4.tar.gz |
e2fsck: fix potential out-of-bounds read in inc_ea_inode_refs()
If there isn't enough space for a full extended attribute entry,
inc_ea_inode_refs() might end up reading beyond the allocated memory
buffer.
Reported-by: Nils Bars <nils.bars@rub.de>
Reported-by: Moritz Schlögel <moritz.schloegel@rub.de>
Reported-by: Nico Schiller <nico.schiller@rub.de>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-rw-r--r-- | e2fsck/pass1.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/e2fsck/pass1.c b/e2fsck/pass1.c index dde862a82..2a17bb8ae 100644 --- a/e2fsck/pass1.c +++ b/e2fsck/pass1.c @@ -389,13 +389,13 @@ static problem_t check_large_ea_inode(e2fsck_t ctx, static void inc_ea_inode_refs(e2fsck_t ctx, struct problem_context *pctx, struct ext2_ext_attr_entry *first, void *end) { - struct ext2_ext_attr_entry *entry; + struct ext2_ext_attr_entry *entry = first; + struct ext2_ext_attr_entry *np = EXT2_EXT_ATTR_NEXT(entry); - for (entry = first; - (void *)entry < end && !EXT2_EXT_IS_LAST_ENTRY(entry); - entry = EXT2_EXT_ATTR_NEXT(entry)) { + while ((void *) entry < end && (void *) np < end && + !EXT2_EXT_IS_LAST_ENTRY(entry)) { if (!entry->e_value_inum) - continue; + goto next; if (!ctx->ea_inode_refs) { pctx->errcode = ea_refcount_create(0, &ctx->ea_inode_refs); @@ -408,6 +408,9 @@ static void inc_ea_inode_refs(e2fsck_t ctx, struct problem_context *pctx, } ea_refcount_increment(ctx->ea_inode_refs, entry->e_value_inum, 0); + next: + entry = np; + np = EXT2_EXT_ATTR_NEXT(entry); } } |