diff options
| author | Theodore Ts'o <tytso@mit.edu> | 2023-06-14 14:44:19 -0400 |
|---|---|---|
| committer | Theodore Ts'o <tytso@mit.edu> | 2023-06-15 00:31:12 -0400 |
| commit | 4b429d9b4bc76641a46e82f069735a98d0b4774d (patch) | |
| tree | fdd771dd795615e0f69339b7b802733d8bb07dcf | |
| parent | d4745c4ad0044cca269f9bf79b635bb4716c7437 (diff) | |
| download | e2fsprogs-4b429d9b4bc76641a46e82f069735a98d0b4774d.tar.gz | |
e2fsck: fix handling of a invalid symlink in an inline_data directory
If there is an inline directory that contains a directory entry to an
invalid symlink, and that invalid symlink is the portion of the inline
directory stored in an xattr portion of the inode, this can result in
a buffer overrun.
When check_dir_block() is handling the in-xattr portion of the inline
directory, it sets the buf pointer to the beginning of that part of
the inline directory. This results in the scratch buffer passed to
e2fsck_process_bad_inode() to incorrect, resulting in a buffer overrun
if e2fsck_pass1_check_symlink() needs to read the symlink target (when
the symlink is too long to fit in the i_blocks[] space).
This commit fixes this by using the original cd->buf instead of buf,
since it can get modified when handling inline directories.
Fixes: 0ac4b3973f31 ("e2fsck: inspect inline dir data as two directory blocks")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
| -rw-r--r-- | e2fsck/pass2.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/e2fsck/pass2.c b/e2fsck/pass2.c index 410edd116..32cdf88a8 100644 --- a/e2fsck/pass2.c +++ b/e2fsck/pass2.c @@ -1513,7 +1513,7 @@ skip_checksum: dirent->inode)) { if (e2fsck_process_bad_inode(ctx, ino, dirent->inode, - buf + fs->blocksize)) { + cd->buf + fs->blocksize)) { dirent->inode = 0; dir_modified++; goto next; |