Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp1160858iof; Mon, 6 Jun 2022 22:53:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx6NTzw8FdMskOXe6FKQj2Oy4kJr+LhBsP3DQd/7oFGhord861kfgUkeIfuvSADjClnwujB X-Received: by 2002:a17:90a:5b0b:b0:1e2:8e28:1a61 with SMTP id o11-20020a17090a5b0b00b001e28e281a61mr57557562pji.187.1654581227912; Mon, 06 Jun 2022 22:53:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654581227; cv=none; d=google.com; s=arc-20160816; b=AXOB045kwXW6oz2woEDoifHagKkVchPcWh0qpU2hn2+4ZRbpFJczH1KvaWV7BILz89 6vnTUDmANMaND9SuIRnx1VTsgeU9O5B5FTuMctz88cScExrMFDR3k6xiLKLaPjnXh63k Oc4Sc2EoISjbE+YZyYZ0F1sRaEn9hXH5rZqdc9yx9sC6S+ZPatMiMvKiSjtZBf/GRj8k Y5Ya+C25xF3BxAumslNVQH8fVHMNw3S+NkdS20Ew3pzIKHnJEObOXq0Jst2tvRHVBwSd 93BU5E+NvJsW+LnVUu7rNWfvYiZJfKD5qVcq7QZE/xaQq2YRI851EIJR2d6wI2Dg/rii ztEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=7r+itS1oy7jZETpFcWRiPlJxL7altPm35gza+YB/8Jc=; b=pwxXI4MLxWamL4kI0HPqtPPFBH+KfOObO1aaFv3aezAboh/KiHViyU5AFAIcsv037P +EXuaKk568Bo8tI3MtLjcIPKhuJcn0IsdXJtiIky9okQVRhB9KVa10A7dd/Yg0L0zyJx nriODT8gtyYYMvanWf7fOl849YFOWMf4OLj16re51X8fLjvZxabA8kDddFFn7rvURN3A 5hviuVW/yV67Y7IGCqq6WMjRPOlFFKQkiLvxLCoEIpagsJ1y/UmLvZlTg9880GqYZveP AGnfNhu+yAmfSuWWVEfgxsGaaUpFHL7Ig9w/PqmjzTO3UFK1Lt4IUtp7FxvPRTvzV5Hu f2FQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@mit.edu header.s=outgoing header.b=fg6ExvNi; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s11-20020a170902ea0b00b0015abefdc1f1si26106943plg.285.2022.06.06.22.53.23; Mon, 06 Jun 2022 22:53:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@mit.edu header.s=outgoing header.b=fg6ExvNi; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236550AbiFGEZu (ORCPT + 99 others); Tue, 7 Jun 2022 00:25:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54198 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236553AbiFGEZo (ORCPT ); Tue, 7 Jun 2022 00:25:44 -0400 Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0CAC6B82C6 for ; Mon, 6 Jun 2022 21:25:41 -0700 (PDT) Received: from cwcc.thunk.org (pool-108-7-220-252.bstnma.fios.verizon.net [108.7.220.252]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 2574PRnn005549 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 7 Jun 2022 00:25:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1654575929; bh=7r+itS1oy7jZETpFcWRiPlJxL7altPm35gza+YB/8Jc=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=fg6ExvNiuOdCxtyduj2G/Dy4GRYEgqIFEEYq4PyiffscVwPfe0bOpMST0tOcizGTB 1hi8U+c2nwMi8SxfZKy9oOWkVFuUVf8ieSiZg2LssJ7RNa0ylRXaNdea+1J8zQsH9s 917GoAi69fi/F7vz5B8lqzj+HhF48p7d/Ku+ia1U12WokH5s9P7aunrccvvpsQOIVW pL5kEF5lYLjFX0KC5BBbpCKRdOwW8NyJwhHx2Gxguex8OdGL7qWtdFYOrM3466C+at IHz9AmGwOBSV9JGpx7zTnKoTEYvquYkvUZTohB9Px2KcKOtFrkkqXpr/drZlQ13P8O lzqjBiRcec0Cw== Received: by cwcc.thunk.org (Postfix, from userid 15806) id C498815C3E2A; Tue, 7 Jun 2022 00:25:27 -0400 (EDT) From: "Theodore Ts'o" To: Ext4 Developers List Cc: Nils Bars , =?UTF-8?q?Moritz=20Schl=C3=B6gel?= , Nico Schiller , "Theodore Ts'o" Subject: [PATCH 4/7] e2fsck: check for xattr value size integer wraparound Date: Tue, 7 Jun 2022 00:24:41 -0400 Message-Id: <20220607042444.1798015-5-tytso@mit.edu> X-Mailer: git-send-email 2.31.0 In-Reply-To: <20220607042444.1798015-1-tytso@mit.edu> References: <20220607042444.1798015-1-tytso@mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org When checking an extended attrbiute block for correctness, we check if the starting offset plus the value size exceeds the end of the block. However, we weren't checking if the size was too large, and if it is so large that it triggers a wraparound when we added the starting offset, we won't notice the problem. Add the missing check. Reported-by: Nils Bars Reported-by: Moritz Schlögel Reported-by: Nico Schiller Signed-off-by: Theodore Ts'o --- e2fsck/pass1.c | 5 +++-- lib/ext2fs/ext2_ext_attr.h | 11 +++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/e2fsck/pass1.c b/e2fsck/pass1.c index 2a17bb8a..11d7ce93 100644 --- a/e2fsck/pass1.c +++ b/e2fsck/pass1.c @@ -2556,8 +2556,9 @@ static int check_ext_attr(e2fsck_t ctx, struct problem_context *pctx, break; } if (entry->e_value_inum == 0) { - if (entry->e_value_offs + entry->e_value_size > - fs->blocksize) { + if (entry->e_value_size > EXT2_XATTR_SIZE_MAX || + (entry->e_value_offs + entry->e_value_size > + fs->blocksize)) { if (fix_problem(ctx, PR_1_EA_BAD_VALUE, pctx)) goto clear_extattr; break; diff --git a/lib/ext2fs/ext2_ext_attr.h b/lib/ext2fs/ext2_ext_attr.h index f2042ed5..c6068c48 100644 --- a/lib/ext2fs/ext2_ext_attr.h +++ b/lib/ext2fs/ext2_ext_attr.h @@ -57,6 +57,17 @@ struct ext2_ext_attr_entry { #define EXT2_XATTR_SIZE(size) \ (((size) + EXT2_EXT_ATTR_ROUND) & ~EXT2_EXT_ATTR_ROUND) +/* + * XATTR_SIZE_MAX is currently 64k, but for the purposes of checking + * for file system consistency errors, we use a somewhat bigger value. + * This allows XATTR_SIZE_MAX to grow in the future, but by using this + * instead of INT_MAX for certain consistency checks, we don't need to + * worry about arithmetic overflows. (Actually XATTR_SIZE_MAX is + * defined in include/uapi/linux/limits.h, so changing it is going + * not going to be trivial....) + */ +#define EXT2_XATTR_SIZE_MAX (1 << 24) + #ifdef __KERNEL__ # ifdef CONFIG_EXT2_FS_EXT_ATTR extern int ext2_get_ext_attr(struct inode *, const char *, char *, size_t, int); -- 2.31.0