From patchwork Sun Jul 23 04:50:33 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Theodore Ts'o X-Patchwork-Id: 792529 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=linux-ext4-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=thunk.org header.i=@thunk.org header.b="Faqgkiw8"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3xFXBh2Yylz9sPs for ; Sun, 23 Jul 2017 14:50:52 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750897AbdGWEur (ORCPT ); Sun, 23 Jul 2017 00:50:47 -0400 Received: from imap.thunk.org ([74.207.234.97]:51420 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750825AbdGWEup (ORCPT ); Sun, 23 Jul 2017 00:50:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=0J5PJRyH1zD8g6LtnMIG9/MAb4edAGa0FcNHAbPPjZ0=; b=Faqgkiw8LsgqdcrwvUenL4HYzetus9KEjSi9rPXW3Rziz5LrfKYy2kWb/b7UPOwYAmsyoPySZlQdJvuS7lL9YsuHoIT7RSHZPZXlObXpUUivr8gjUOjMcHCuWpEaHHhLb/W8+WhrrItu4xPfUE7XTAKEWx8ejymwWYOEQgzG61U=; Received: from root (helo=callcc.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.84_2) (envelope-from ) id 1dZ8qq-0005oi-7X; Sun, 23 Jul 2017 04:50:44 +0000 Received: by callcc.thunk.org (Postfix, from userid 15806) id 73130C0038A; Sun, 23 Jul 2017 00:50:43 -0400 (EDT) From: Theodore Ts'o To: Ext4 Developers List Cc: abuchbinder@google.com, Theodore Ts'o Subject: [PATCH 3/5] libext2fs: add stricter checks on the inode size in ext2fs_open2() Date: Sun, 23 Jul 2017 00:50:33 -0400 Message-Id: <20170723045035.26019-3-tytso@mit.edu> X-Mailer: git-send-email 2.11.0.rc0.7.gbe5a750 In-Reply-To: <20170723045035.26019-1-tytso@mit.edu> References: <20170723045035.26019-1-tytso@mit.edu> X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org An inode size larger than the block size can cause userspace programs to crash. This problem was found using American Fuzzy Lop. Reported-by: Adam Buchbinder Signed-off-by: Theodore Ts'o --- lib/ext2fs/openfs.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c index 0362b2839..da03bc147 100644 --- a/lib/ext2fs/openfs.c +++ b/lib/ext2fs/openfs.c @@ -121,6 +121,7 @@ errcode_t ext2fs_open2(const char *name, const char *io_options, blk64_t group_block, blk; char *dest, *cp; int group_zero_adjust = 0; + int inode_size; #ifdef WORDS_BIGENDIAN unsigned int groups_per_block; struct ext2_group_desc *gdp; @@ -297,7 +298,10 @@ errcode_t ext2fs_open2(const char *name, const char *io_options, goto cleanup; } fs->fragsize = fs->blocksize = EXT2_BLOCK_SIZE(fs->super); - if (EXT2_INODE_SIZE(fs->super) < EXT2_GOOD_OLD_INODE_SIZE) { + inode_size = EXT2_INODE_SIZE(fs->super); + if ((inode_size < EXT2_GOOD_OLD_INODE_SIZE) || + (inode_size > fs->blocksize) || + (inode_size & (inode_size - 1))) { retval = EXT2_ET_CORRUPT_SUPERBLOCK; goto cleanup; }