From: Theodore Ts'o <tytso@mit.edu>
To: Ext4 Developers List <linux-ext4@vger.kernel.org>
Cc: antymat+debian@chelmska.waw.pl, 756922@bugs.debian.org,
Theodore Ts'o <tytso@mit.edu>
Subject: [PATCH 1/6] libext2fs: avoid buffer overflow if s_first_meta_bg is too big
Date: Sat, 9 Aug 2014 13:10:15 -0400 [thread overview]
Message-ID: <1407604220-2620-1-git-send-email-tytso@mit.edu> (raw)
If s_first_meta_bg is greater than the number block group descriptor
blocks, then reading or writing the block group descriptors will end
up overruning the memory buffer allocated for the descriptors. Fix
this by limiting first_meta_bg to no more than fs->desc_blocks. This
doesn't correct the bad s_first_meta_bg value, but it avoids causing
the e2fsprogs userspace programs from potentially crashing.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
lib/ext2fs/closefs.c | 6 ++++--
lib/ext2fs/openfs.c | 6 ++++--
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c
index 4599eef..1f99113 100644
--- a/lib/ext2fs/closefs.c
+++ b/lib/ext2fs/closefs.c
@@ -344,9 +344,11 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
* superblocks and group descriptors.
*/
group_ptr = (char *) group_shadow;
- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
old_desc_blocks = fs->super->s_first_meta_bg;
- else
+ if (old_desc_blocks > fs->super->s_first_meta_bg)
+ old_desc_blocks = fs->desc_blocks;
+ } else
old_desc_blocks = fs->desc_blocks;
ext2fs_numeric_progress_init(fs, &progress, NULL,
diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c
index a1a3517..ba501e6 100644
--- a/lib/ext2fs/openfs.c
+++ b/lib/ext2fs/openfs.c
@@ -378,9 +378,11 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
#ifdef WORDS_BIGENDIAN
groups_per_block = EXT2_DESC_PER_BLOCK(fs->super);
#endif
- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
first_meta_bg = fs->super->s_first_meta_bg;
- else
+ if (first_meta_bg > fs->desc_blocks)
+ first_meta_bg = fs->desc_blocks;
+ } else
first_meta_bg = fs->desc_blocks;
if (first_meta_bg) {
retval = io_channel_read_blk(fs->io, group_block +
--
2.0.0
next reply other threads:[~2014-08-09 17:10 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-09 17:10 Theodore Ts'o [this message]
2014-08-09 17:10 ` [PATCH 2/6] e2fsck: fix file systems with an overly large s_first_meta_bg Theodore Ts'o
2014-08-09 17:10 ` [PATCH 3/6] resize2fs: disable the meta_bg feature if necessary Theodore Ts'o
2014-08-09 17:10 ` [PATCH 4/6] tests: make sure MKE2FS_FIRST_META_BG is unset while running tests Theodore Ts'o
2014-08-09 17:10 ` [PATCH 5/6] tests: add f_first_meta_bg_too_big test Theodore Ts'o
2014-08-09 17:10 ` [PATCH 6/6] tests: add the r_meta_bg_shrink test Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1407604220-2620-1-git-send-email-tytso@mit.edu \
--to=tytso@mit.edu \
--cc=756922@bugs.debian.org \
--cc=antymat+debian@chelmska.waw.pl \
--cc=linux-ext4@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).