1From 1052048fb8f4ddcc0160eb670ef746ef7ee505a4 Mon Sep 17 00:00:00 2001 2From: Theodore Ts'o <tytso@mit.edu> 3Date: Mon, 6 Jun 2022 11:39:23 -0400 4Subject: e2fsck: fix potential out-of-bounds read in inc_ea_inode_refs() 5MIME-Version: 1.0 6Content-Type: text/plain; charset=UTF-8 7Content-Transfer-Encoding: 8bit 8 9If there isn't enough space for a full extended attribute entry, 10inc_ea_inode_refs() might end up reading beyond the allocated memory 11buffer. 12 13Reported-by: Nils Bars <nils.bars@rub.de> 14Reported-by: Moritz Schlögel <moritz.schloegel@rub.de> 15Reported-by: Nico Schiller <nico.schiller@rub.de> 16Signed-off-by: Theodore Ts'o <tytso@mit.edu> 17--- 18 e2fsck/pass1.c | 13 ++++++++----- 19 1 file changed, 8 insertions(+), 5 deletions(-) 20 21diff --git a/e2fsck/pass1.c b/e2fsck/pass1.c 22index dde862a8..2a17bb8a 100644 23--- a/e2fsck/pass1.c 24+++ b/e2fsck/pass1.c 25@@ -389,13 +389,13 @@ static problem_t check_large_ea_inode(e2fsck_t ctx, 26 static void inc_ea_inode_refs(e2fsck_t ctx, struct problem_context *pctx, 27 struct ext2_ext_attr_entry *first, void *end) 28 { 29- struct ext2_ext_attr_entry *entry; 30+ struct ext2_ext_attr_entry *entry = first; 31+ struct ext2_ext_attr_entry *np = EXT2_EXT_ATTR_NEXT(entry); 32 33- for (entry = first; 34- (void *)entry < end && !EXT2_EXT_IS_LAST_ENTRY(entry); 35- entry = EXT2_EXT_ATTR_NEXT(entry)) { 36+ while ((void *) entry < end && (void *) np < end && 37+ !EXT2_EXT_IS_LAST_ENTRY(entry)) { 38 if (!entry->e_value_inum) 39- continue; 40+ goto next; 41 if (!ctx->ea_inode_refs) { 42 pctx->errcode = ea_refcount_create(0, 43 &ctx->ea_inode_refs); 44@@ -408,6 +408,9 @@ static void inc_ea_inode_refs(e2fsck_t ctx, struct problem_context *pctx, 45 } 46 ea_refcount_increment(ctx->ea_inode_refs, entry->e_value_inum, 47 0); 48+ next: 49+ entry = np; 50+ np = EXT2_EXT_ATTR_NEXT(entry); 51 } 52 } 53 54-- 55cgit 56 57