diff options
| author | Lukas Czerner <lczerner@redhat.com> | 2018-08-14 16:37:53 +0200 |
|---|---|---|
| committer | Theodore Ts'o <tytso@mit.edu> | 2018-10-02 21:47:10 -0400 |
| commit | b0ec76d623f737a32abc5ab8bb7198bf1d9939a4 (patch) | |
| tree | 63cfe2fdbe93ccd7d29984bc73c6d1e939266946 /tests | |
| parent | feb235e0812d6c5f1fda9e8c790b5bcb78aba285 (diff) | |
| download | e2fsprogs-b0ec76d623f737a32abc5ab8bb7198bf1d9939a4.tar.gz | |
libe2p: avoid segfault when s_nr_users is too high
Currently in e2fsprogs tools it's possible to access out of bounds
memory when reading list of ids sharing a journal log
(journal_superblock_t->s_users[]) in case where s_nr_users is too high.
This is because we never check whether the s_nr_users fits into the
restriction of JFS_USERS_MAX. Fix it by checking that nr_users is not
bigger than JFS_USERS_MAX and error out when possiblem.
Also add test for dumpe2fs. The rest would require involving external
journal which is not possible to test with e2fsprogs test suite at the
moment.
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/d_corrupt_journal_nr_users/expect | 99 | ||||
| -rw-r--r-- | tests/d_corrupt_journal_nr_users/image.gz | bin | 0 -> 8788 bytes | |||
| -rw-r--r-- | tests/d_corrupt_journal_nr_users/name | 1 | ||||
| -rw-r--r-- | tests/d_corrupt_journal_nr_users/script | 25 | ||||
| -rw-r--r-- | tests/f_bad_local_jnl/image | bin | 0 -> 8388608 bytes |
5 files changed, 125 insertions, 0 deletions
diff --git a/tests/d_corrupt_journal_nr_users/expect b/tests/d_corrupt_journal_nr_users/expect new file mode 100644 index 000000000..cdfb49a0d --- /dev/null +++ b/tests/d_corrupt_journal_nr_users/expect @@ -0,0 +1,99 @@ +Filesystem volume name: <none> +Last mounted on: <not available> +Filesystem magic number: 0xEF53 +Filesystem revision #: 1 (dynamic) +Filesystem features: has_journal ext_attr resize_inode dir_index filetype extent 64bit flex_bg sparse_super large_file huge_file dir_nlink extra_isize metadata_csum +Default mount options: user_xattr acl +Filesystem state: clean +Errors behavior: Continue +Filesystem OS type: Linux +Inode count: 512 +Block count: 2048 +Reserved block count: 102 +Free blocks: 982 +Free inodes: 501 +First block: 0 +Block size: 4096 +Fragment size: 4096 +Group descriptor size: 64 +Blocks per group: 32768 +Fragments per group: 32768 +Inodes per group: 512 +Inode blocks per group: 32 +Flex block group size: 16 +Mount count: 0 +Check interval: 0 (<none>) +Reserved blocks uid: 0 +Reserved blocks gid: 0 +First inode: 11 +Inode size: 256 +Required extra isize: 32 +Desired extra isize: 32 +Journal inode: 8 +Default directory hash: half_md4 +Journal backup: inode blocks +Checksum type: crc32c +Journal features: (none) +Journal size: 4096k +Journal length: 1024 +Journal sequence: 0x00000001 +Journal start: 0 +Journal number of users: 9999 +Journal users: <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + <none> + + +Group 0: (Blocks 0-2047) + Primary superblock at 0, Group descriptors at 1-1 + Block bitmap at 2 (+2) + Inode bitmap at 18 (+18) + Inode table at 34-65 (+34) + 982 free blocks, 501 free inodes, 2 directories, 501 unused inodes + Free blocks: 1066-2047 + Free inodes: 12-512 diff --git a/tests/d_corrupt_journal_nr_users/image.gz b/tests/d_corrupt_journal_nr_users/image.gz Binary files differnew file mode 100644 index 000000000..1fc32eddd --- /dev/null +++ b/tests/d_corrupt_journal_nr_users/image.gz diff --git a/tests/d_corrupt_journal_nr_users/name b/tests/d_corrupt_journal_nr_users/name new file mode 100644 index 000000000..8b33a273e --- /dev/null +++ b/tests/d_corrupt_journal_nr_users/name @@ -0,0 +1 @@ +Journal superblock corrupted, nr_users too high diff --git a/tests/d_corrupt_journal_nr_users/script b/tests/d_corrupt_journal_nr_users/script new file mode 100644 index 000000000..683cd4874 --- /dev/null +++ b/tests/d_corrupt_journal_nr_users/script @@ -0,0 +1,25 @@ +if ! test -x $DEBUGFS_EXE; then + echo "$test_name: $test_description: skipped (no debugfs)" + return 0 +fi + +IMAGE=$test_dir/image.gz +EXP=$test_dir/expect +OUT=$test_name.log +gunzip < $IMAGE > $TMPFILE + +$DUMPE2FS $TMPFILE >> $OUT.new 2>&1 +sed -f $cmd_dir/filter.sed $OUT.new > $OUT +rm -f $TMPFILE $OUT.new + +cmp -s $OUT $EXP +status=$? + +if [ "$status" = 0 ] ; then + echo "$test_name: $test_description: ok" + touch $test_name.ok +else + echo "$test_name: $test_description: failed" + diff $DIFF_OPTS $EXP $OUT > $test_name.failed + rm -f $test_name.tmp +fi diff --git a/tests/f_bad_local_jnl/image b/tests/f_bad_local_jnl/image Binary files differnew file mode 100644 index 000000000..6f2b550a3 --- /dev/null +++ b/tests/f_bad_local_jnl/image |