e2fsck: check for xattr value size integer wraparound

When checking an extended attrbiute block for correctness, we check if the starting offset plus the value size exceeds the end of the block. However, we weren't checking if the size was too large, and if it is so large that it triggers a wraparound when we added the starting offset, we won't notice the problem. Add the missing check. Reported-by: Nils Bars <nils.bars@rub.de> Reported-by: Moritz Schlögel <moritz.schloegel@rub.de> Reported-by: Nico Schiller <nico.schiller@rub.de> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
author: Theodore Ts'o <tytso@mit.edu> 2022-06-06 13:34:08 -0400
committer: Theodore Ts'o <tytso@mit.edu> 2022-06-06 13:34:08 -0400
commit: f0c405f8b7bdabaf07284f1b52ba42b551152229 (patch)
tree: fbd6345ecff95a879d484cc973cb27ca32f2e078 /e2fsck
parent: d497224dfbfdc1313136488cd7fb196885d40dfb (diff)
download: e2fsprogs-f0c405f8b7bdabaf07284f1b52ba42b551152229.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/e2fsck/pass1.c b/e2fsck/pass1.c
index 2a17bb8a..11d7ce93 100644
--- a/e2fsck/pass1.c
+++ b/e2fsck/pass1.c
@@ -2556,8 +2556,9 @@ static int check_ext_attr(e2fsck_t ctx, struct problem_context *pctx,
 			break;
 		}
 		if (entry->e_value_inum == 0) {
-			if (entry->e_value_offs + entry->e_value_size >
-			    fs->blocksize) {
+			if (entry->e_value_size > EXT2_XATTR_SIZE_MAX ||
+			    (entry->e_value_offs + entry->e_value_size >
+			     fs->blocksize)) {
 				if (fix_problem(ctx, PR_1_EA_BAD_VALUE, pctx))
 					goto clear_extattr;
 				break;
author	Theodore Ts'o <tytso@mit.edu>	2022-06-06 13:34:08 -0400
committer	Theodore Ts'o <tytso@mit.edu>	2022-06-06 13:34:08 -0400
commit	f0c405f8b7bdabaf07284f1b52ba42b551152229 (patch)
tree	fbd6345ecff95a879d484cc973cb27ca32f2e078 /e2fsck
parent	d497224dfbfdc1313136488cd7fb196885d40dfb (diff)
download	e2fsprogs-f0c405f8b7bdabaf07284f1b52ba42b551152229.tar.gz