| Message ID | 20220607042444.1798015-2-tytso@mit.edu |
|---|---|
| State | Accepted |
| Headers | show |
| Series | Fix various bugs found via a fuzzing campaign | expand |
On Tue, Jun 07, 2022 at 12:24:38AM -0400, Theodore Ts'o wrote: > E2fsck replays the journal before sanity checking the full superblock. > So it's possible that the journal inode number is not valid relative > to the number of block groups. So to avoid potentially an array > bounds overrun, sanity check this before trying to find the journal > inode. Looks good. Reviewed-by: Lukas Czerner <lczerner@redhat.com> > > Reported-by: Nils Bars <nils.bars@rub.de> > Reported-by: Moritz Schlögel <moritz.schloegel@rub.de> > Reported-by: Nico Schiller <nico.schiller@rub.de> > Signed-off-by: Theodore Ts'o <tytso@mit.edu> > --- > e2fsck/journal.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/e2fsck/journal.c b/e2fsck/journal.c > index 2e867234..12487e3d 100644 > --- a/e2fsck/journal.c > +++ b/e2fsck/journal.c > @@ -989,7 +989,14 @@ static errcode_t e2fsck_get_journal(e2fsck_t ctx, journal_t **ret_journal) > journal->j_blocksize = ctx->fs->blocksize; > > if (uuid_is_null(sb->s_journal_uuid)) { > - if (!sb->s_journal_inum) { > + /* > + * The full set of superblock sanity checks haven't > + * been performed yet, so we need to do some basic > + * checks here to avoid potential array overruns. > + */ > + if (!sb->s_journal_inum || > + (sb->s_journal_inum > > + (ctx->fs->group_desc_count * sb->s_inodes_per_group))) { > retval = EXT2_ET_BAD_INODE_NUM; > goto errout; > } > -- > 2.31.0 >
diff --git a/e2fsck/journal.c b/e2fsck/journal.c index 2e867234..12487e3d 100644 --- a/e2fsck/journal.c +++ b/e2fsck/journal.c @@ -989,7 +989,14 @@ static errcode_t e2fsck_get_journal(e2fsck_t ctx, journal_t **ret_journal) journal->j_blocksize = ctx->fs->blocksize; if (uuid_is_null(sb->s_journal_uuid)) { - if (!sb->s_journal_inum) { + /* + * The full set of superblock sanity checks haven't + * been performed yet, so we need to do some basic + * checks here to avoid potential array overruns. + */ + if (!sb->s_journal_inum || + (sb->s_journal_inum > + (ctx->fs->group_desc_count * sb->s_inodes_per_group))) { retval = EXT2_ET_BAD_INODE_NUM; goto errout; }
E2fsck replays the journal before sanity checking the full superblock. So it's possible that the journal inode number is not valid relative to the number of block groups. So to avoid potentially an array bounds overrun, sanity check this before trying to find the journal inode. Reported-by: Nils Bars <nils.bars@rub.de> Reported-by: Moritz Schlögel <moritz.schloegel@rub.de> Reported-by: Nico Schiller <nico.schiller@rub.de> Signed-off-by: Theodore Ts'o <tytso@mit.edu> --- e2fsck/journal.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)