# HG changeset patch # User tytso@mit.edu # Date 1182493358 14400 # Node ID 702632e66380e459f60b238570edd1e911dd46bc # Parent 17c2ad1542e716779e127b5db35879c391ac6282 e2fsck: added sanity check for xattr validation Add an extra validity test in check_ext_attr(). If an attribute's e_value_size is zero the current code does not allocate a region for it and as a result the e_value_offs value is not verified. However, if e_value_offs is very large then the later call to ext2fs_ext_attr_hash_entry() can dereference bad memory and crash e2fsck. Signed-off-by: Andreas Dilger <adilger@clusterfs.com> Signed-off-by: Jim Garlick <garlick@llnl.gov> Index: e2fsprogs-1.39-RHEL5/e2fsck/ChangeLog =================================================================== --- e2fsprogs-1.39-RHEL5.orig/e2fsck/ChangeLog +++ e2fsprogs-1.39-RHEL5/e2fsck/ChangeLog @@ -1,3 +1,13 @@ +2007-06-22 Theodore Tso <tytso@mit.edu> + + * pass1.c (check_ext_attr): Adds an extra validity test in + check_ext_attr(). If an attribute's e_value_size is zero + the current code does not allocate a region for it and as + a result the e_value_offs value is not verified. However, + if e_value_offs is very large then the later call to + ext2fs_ext_attr_hash_entry() can dereference bad memory + and crash e2fsck. + 2007-06-18 Theodore Tso <tytso@mit.edu> * journal.c (e2fsck_run_ext3_journal), unix.c (main): Explicitly Index: e2fsprogs-1.39-RHEL5/e2fsck/pass1.c =================================================================== --- e2fsprogs-1.39-RHEL5.orig/e2fsck/pass1.c +++ e2fsprogs-1.39-RHEL5/e2fsck/pass1.c @@ -1284,6 +1284,11 @@ static int check_ext_attr(e2fsck_t ctx, if (fix_problem(ctx, PR_1_EA_BAD_VALUE, pctx)) goto clear_extattr; } + if (entry->e_value_offs + entry->e_value_size > fs->blocksize) { + if (fix_problem(ctx, PR_1_EA_BAD_VALUE, pctx)) + goto clear_extattr; + break; + } if (entry->e_value_size && region_allocate(region, entry->e_value_offs, EXT2_EXT_ATTR_SIZE(entry->e_value_size))) {