diff options
author | Theodore Ts'o <tytso@mit.edu> | 2017-09-04 20:32:22 -0400 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2017-09-06 10:20:53 -0400 |
commit | 32cb8473028406697502ba6698462ba3df909a46 (patch) | |
tree | bee8d0c55b0b07da88ce6f5b6d2a627676207cc3 /lib | |
parent | 8e86ecf704a2c3aa158095451e9e15c61ffc7f11 (diff) | |
download | e2fsprogs-32cb8473028406697502ba6698462ba3df909a46.tar.gz |
e2fsck, libext2fs: add checks for insanely large file systems
If the blocks count field is too large, this can cause numeric
overflows which can result in buffer overflows.
Addresses-Debian-Bug: #873757
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reported-by: Jakub Wilk <jwilk@jwilk.net>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/ext2fs/openfs.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c index da03bc147..f74cd2458 100644 --- a/lib/ext2fs/openfs.c +++ b/lib/ext2fs/openfs.c @@ -122,6 +122,7 @@ errcode_t ext2fs_open2(const char *name, const char *io_options, char *dest, *cp; int group_zero_adjust = 0; int inode_size; + __u64 groups_cnt; #ifdef WORDS_BIGENDIAN unsigned int groups_per_block; struct ext2_group_desc *gdp; @@ -371,9 +372,14 @@ errcode_t ext2fs_open2(const char *name, const char *io_options, retval = EXT2_ET_CORRUPT_SUPERBLOCK; goto cleanup; } - fs->group_desc_count = ext2fs_div64_ceil(ext2fs_blocks_count(fs->super) - - fs->super->s_first_data_block, - blocks_per_group); + groups_cnt = ext2fs_div64_ceil(ext2fs_blocks_count(fs->super) - + fs->super->s_first_data_block, + blocks_per_group); + if (groups_cnt >> 32) { + retval = EXT2_ET_CORRUPT_SUPERBLOCK; + goto cleanup; + } + fs->group_desc_count = groups_cnt; if (fs->group_desc_count * EXT2_INODES_PER_GROUP(fs->super) != fs->super->s_inodes_count) { retval = EXT2_ET_CORRUPT_SUPERBLOCK; |