diff mbox series

[v2,3/3] debugfs/e2fsck: check bad s_head block number

Message ID 20230317091716.4150992-4-yi.zhang@huaweicloud.com
State New
Headers show
Series e2fsprogs: journal cycled record transactions between each mount | expand

Commit Message

Zhang Yi March 17, 2023, 9:17 a.m. UTC 
From: Zhang Yi <yi.zhang@huawei.com>

Check s_head in the journal superblock and fix it if this value is out
of bounds.

Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
---
 debugfs/journal.c | 5 +++++
 e2fsck/journal.c  | 9 +++++++++
 2 files changed, 14 insertions(+)
diff mbox series

Patch

diff --git a/debugfs/journal.c b/debugfs/journal.c
index 5bc7552d..1eef3bca 100644
--- a/debugfs/journal.c
+++ b/debugfs/journal.c
@@ -631,6 +631,11 @@  static errcode_t ext2fs_journal_load(journal_t *journal)
 	else if (ntohl(jsb->s_maxlen) > journal->j_total_len)
 		return EXT2_ET_CORRUPT_JOURNAL_SB;
 
+	if (jsb->s_head != 0 &&
+	    (ntohl(jsb->s_head) < ntohl(jsb->s_first) ||
+	     ntohl(jsb->s_head) >= journal->j_total_len))
+		return EXT2_ET_CORRUPT_JOURNAL_SB;
+
 	journal->j_tail_sequence = ntohl(jsb->s_sequence);
 	journal->j_transaction_sequence = journal->j_tail_sequence;
 	journal->j_tail = ntohl(jsb->s_start);
diff --git a/e2fsck/journal.c b/e2fsck/journal.c
index 8950446f..4b9f00ce 100644
--- a/e2fsck/journal.c
+++ b/e2fsck/journal.c
@@ -1374,6 +1374,15 @@  static errcode_t e2fsck_journal_load(journal_t *journal)
 		return EXT2_ET_CORRUPT_JOURNAL_SB;
 	}
 
+	if (jsb->s_head != 0 &&
+	    (ntohl(jsb->s_head) < ntohl(jsb->s_first) ||
+	     ntohl(jsb->s_head) >= journal->j_total_len)) {
+		com_err(ctx->program_name, EXT2_ET_CORRUPT_JOURNAL_SB,
+			_("%s, journal head out of bounds\n"),
+			ctx->device_name);
+		return EXT2_ET_CORRUPT_JOURNAL_SB;
+	}
+
 	journal->j_tail_sequence = ntohl(jsb->s_sequence);
 	journal->j_transaction_sequence = journal->j_tail_sequence;
 	journal->j_tail = ntohl(jsb->s_start);