e5a76161f210dda2b9eab4bfab5b561f57d355d2
[openwrt/staging/aparcar.git] /
1 From ab51d587bb9b229b1fade1afd02e1574c1ba5c76 Mon Sep 17 00:00:00 2001
2 From: Lukas Czerner <lczerner@redhat.com>
3 Date: Thu, 21 Apr 2022 19:31:48 +0200
4 Subject: libext2fs: add sanity check to extent manipulation
5
6 It is possible to have a corrupted extent tree in such a way that a leaf
7 node contains zero extents in it. Currently if that happens and we try
8 to traverse the tree we can end up accessing wrong data, or possibly
9 even uninitialized memory. Make sure we don't do that.
10
11 Additionally make sure that we have a sane number of bytes passed to
12 memmove() in ext2fs_extent_delete().
13
14 Note that e2fsck is currently unable to spot and fix such corruption in
15 pass1.
16
17 Signed-off-by: Lukas Czerner <lczerner@redhat.com>
18 Reported-by: Nils Bars <nils_bars@t-online.de>
19 Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2068113
20 Addresses: CVE-2022-1304
21 Addresses-Debian-Bug: #1010263
22 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
23 ---
24 lib/ext2fs/extent.c | 8 ++++++++
25 1 file changed, 8 insertions(+)
26
27 --- a/lib/ext2fs/extent.c
28 +++ b/lib/ext2fs/extent.c
29 @@ -495,6 +495,10 @@ retry:
30 ext2fs_le16_to_cpu(eh->eh_entries);
31 newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max);
32
33 + /* Make sure there is at least one extent present */
34 + if (newpath->left <= 0)
35 + return EXT2_ET_EXTENT_NO_DOWN;
36 +
37 if (path->left > 0) {
38 ix++;
39 newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block);
40 @@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_exte
41
42 cp = path->curr;
43
44 + /* Sanity check before memmove() */
45 + if (path->left < 0)
46 + return EXT2_ET_EXTENT_LEAF_BAD;
47 +
48 if (path->left) {
49 memmove(cp, cp + sizeof(struct ext3_extent_idx),
50 path->left * sizeof(struct ext3_extent_idx));