libext2fs: add check for too-short directory blocks

If there is an inline data directory which is smaller than 8 bytes (which should never happen but for corrupted or fuzzed file systems), ext2fs_process_dir_block() will now abort EXT2_ET_DIR_CORRUPTED to avoid an out-of-bounds read. Reported-by: Nils Bars <nils.bars@rub.de> Reported-by: Moritz Schlögel <moritz.schloegel@rub.de> Reported-by: Nico Schiller <nico.schiller@rub.de> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
author: Theodore Ts'o <tytso@mit.edu> 2022-06-06 12:03:36 -0400
committer: Theodore Ts'o <tytso@mit.edu> 2022-06-06 12:13:22 -0400
commit: d497224dfbfdc1313136488cd7fb196885d40dfb (patch)
tree: f34cba5e73b568700d695df7d252822c22d1e891
parent: 1052048fb8f4ddcc0160eb670ef746ef7ee505a4 (diff)
download: e2fsprogs-d497224dfbfdc1313136488cd7fb196885d40dfb.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/ext2fs/dir_iterate.c b/lib/ext2fs/dir_iterate.c
index b2b77693e..7798a4827 100644
--- a/lib/ext2fs/dir_iterate.c
+++ b/lib/ext2fs/dir_iterate.c
@@ -221,6 +221,10 @@ int ext2fs_process_dir_block(ext2_filsys fs,
 	if (ext2fs_has_feature_metadata_csum(fs->super))
 		csum_size = sizeof(struct ext2_dir_entry_tail);
 
+	if (buflen < 8) {
+		ctx->errcode = EXT2_ET_DIR_CORRUPTED;
+		return BLOCK_ABORT;
+	}
 	while (offset < buflen - 8) {
 		dirent = (struct ext2_dir_entry *) (ctx->buf + offset);
 		if (ext2fs_get_rec_len(fs, dirent, &rec_len))
author	Theodore Ts'o <tytso@mit.edu>	2022-06-06 12:03:36 -0400
committer	Theodore Ts'o <tytso@mit.edu>	2022-06-06 12:13:22 -0400
commit	d497224dfbfdc1313136488cd7fb196885d40dfb (patch)
tree	f34cba5e73b568700d695df7d252822c22d1e891
parent	1052048fb8f4ddcc0160eb670ef746ef7ee505a4 (diff)
download	e2fsprogs-d497224dfbfdc1313136488cd7fb196885d40dfb.tar.gz