* [PATCH] e2fsprogs: add sanity check to extent manipulation
@ 2022-04-21 17:31 Lukas Czerner
2022-04-28 14:43 ` Theodore Ts'o
0 siblings, 1 reply; 2+ messages in thread
From: Lukas Czerner @ 2022-04-21 17:31 UTC (permalink / raw)
To: linux-ext4; +Cc: tytso, Nils Bars
It is possible to have a corrupted extent tree in such a way that a leaf
node contains zero extents in it. Currently if that happens and we try
to traverse the tree we can end up accessing wrong data, or possibly
even uninitialized memory. Make sure we don't do that.
Additionally make sure that we have a sane number of bytes passed to
memmove() in ext2fs_extent_delete().
Note that e2fsck is currently unable to spot and fix such corruption in
pass1.
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reported-by: Nils Bars <nils_bars@t-online.de>
Addressess: https://bugzilla.redhat.com/show_bug.cgi?id=2068113
---
lib/ext2fs/extent.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c
index b324c7b0..1a206a16 100644
--- a/lib/ext2fs/extent.c
+++ b/lib/ext2fs/extent.c
@@ -495,6 +495,10 @@ retry:
ext2fs_le16_to_cpu(eh->eh_entries);
newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max);
+ /* Make sure there is at least one extent present */
+ if (newpath->left <= 0)
+ return EXT2_ET_EXTENT_NO_DOWN;
+
if (path->left > 0) {
ix++;
newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block);
@@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags)
cp = path->curr;
+ /* Sanity check before memmove() */
+ if (path->left < 0)
+ return EXT2_ET_EXTENT_LEAF_BAD;
+
if (path->left) {
memmove(cp, cp + sizeof(struct ext3_extent_idx),
path->left * sizeof(struct ext3_extent_idx));
--
2.35.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] e2fsprogs: add sanity check to extent manipulation
2022-04-21 17:31 [PATCH] e2fsprogs: add sanity check to extent manipulation Lukas Czerner
@ 2022-04-28 14:43 ` Theodore Ts'o
0 siblings, 0 replies; 2+ messages in thread
From: Theodore Ts'o @ 2022-04-28 14:43 UTC (permalink / raw)
To: linux-ext4, Lukas Czerner; +Cc: Theodore Ts'o, Nils Bars
On Thu, 21 Apr 2022 19:31:48 +0200, Lukas Czerner wrote:
> It is possible to have a corrupted extent tree in such a way that a leaf
> node contains zero extents in it. Currently if that happens and we try
> to traverse the tree we can end up accessing wrong data, or possibly
> even uninitialized memory. Make sure we don't do that.
>
> Additionally make sure that we have a sane number of bytes passed to
> memmove() in ext2fs_extent_delete().
>
> [...]
Applied, thanks!
[1/1] libext2fs: add sanity check to extent manipulation
commit: ab51d587bb9b229b1fade1afd02e1574c1ba5c76
Best regards,
--
Theodore Ts'o <tytso@mit.edu>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-04-28 14:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-21 17:31 [PATCH] e2fsprogs: add sanity check to extent manipulation Lukas Czerner
2022-04-28 14:43 ` Theodore Ts'o
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).