diff options
author | Theodore Ts'o <tytso@mit.edu> | 2022-06-06 13:34:08 -0400 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2022-06-06 13:34:08 -0400 |
commit | f0c405f8b7bdabaf07284f1b52ba42b551152229 (patch) | |
tree | fbd6345ecff95a879d484cc973cb27ca32f2e078 /e2fsck | |
parent | d497224dfbfdc1313136488cd7fb196885d40dfb (diff) | |
download | e2fsprogs-f0c405f8b7bdabaf07284f1b52ba42b551152229.tar.gz |
e2fsck: check for xattr value size integer wraparound
When checking an extended attrbiute block for correctness, we check if
the starting offset plus the value size exceeds the end of the block.
However, we weren't checking if the size was too large, and if it is
so large that it triggers a wraparound when we added the starting
offset, we won't notice the problem. Add the missing check.
Reported-by: Nils Bars <nils.bars@rub.de>
Reported-by: Moritz Schlögel <moritz.schloegel@rub.de>
Reported-by: Nico Schiller <nico.schiller@rub.de>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Diffstat (limited to 'e2fsck')
-rw-r--r-- | e2fsck/pass1.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/e2fsck/pass1.c b/e2fsck/pass1.c index 2a17bb8a..11d7ce93 100644 --- a/e2fsck/pass1.c +++ b/e2fsck/pass1.c @@ -2556,8 +2556,9 @@ static int check_ext_attr(e2fsck_t ctx, struct problem_context *pctx, break; } if (entry->e_value_inum == 0) { - if (entry->e_value_offs + entry->e_value_size > - fs->blocksize) { + if (entry->e_value_size > EXT2_XATTR_SIZE_MAX || + (entry->e_value_offs + entry->e_value_size > + fs->blocksize)) { if (fix_problem(ctx, PR_1_EA_BAD_VALUE, pctx)) goto clear_extattr; break; |