[PATCH] Validate e_value_offs for in-inode EAs

Girish <Girish.Shilamkar@xxxxxxx> · Thu, 12 Feb 2009 15:52:00 +0530

Hi Ted,

We came across a corruption in which e_value_offs for an in-inode EA was
corrupt and the overflow was causing a segfault. We should validate
e_value_offs for in-inode EAs as well.

I have also attached the regression test for this problem.

Signed-off-by: Girish Shilamkar <girish.shilamkar@xxxxxxx>

-- 
Thanks,
Girish
Index: e2fsprogs-1.41.1/e2fsck/pass1.c
===================================================================

--- e2fsprogs-1.41.1.orig/e2fsck/pass1.c	2008-08-28 19:56:31.000000000 +0530
+++ e2fsprogs-1.41.1/e2fsck/pass1.c	2009-02-04 16:21:14.000000000 +0530
@@ -318,6 +318,13 @@
 			goto fix;
 		}
 
+		/* Value size cannot be larger than EA space in inode */
+		if (entry->e_value_offs > storage_size ||
+		    entry->e_value_offs + entry->e_value_size > storage_size) {
+			problem = PR_1_INODE_EA_BAD_VALUE;
+			goto fix;
+		}
+
 		hash = ext2fs_ext_attr_hash_entry(entry,
 						  start + entry->e_value_offs);
 
Index: e2fsprogs-1.41.1/e2fsck/problem.c
===================================================================
--- e2fsprogs-1.41.1.orig/e2fsck/problem.c	2008-08-28 19:56:31.000000000 +0530
+++ e2fsprogs-1.41.1/e2fsck/problem.c	2009-02-04 16:20:06.000000000 +0530
@@ -908,6 +908,11 @@
 	  N_("Pass 1C: Scanning directories for @is with @m @bs\n"),
 	  PROMPT_NONE, 0 },
 
+	/* Bad extended attribute value in inode */
+        { PR_1_INODE_EA_BAD_VALUE,
+          N_("@a in @i %i is corrupt (@n value)."),
+          PROMPT_CLEAR, 0},
+
 
 	/* Pass 1D: Reconciling multiply-claimed blocks */
 	{ PR_1D_PASS_HEADER,
Index: e2fsprogs-1.41.1/e2fsck/problem.h
===================================================================
--- e2fsprogs-1.41.1.orig/e2fsck/problem.h	2008-08-28 08:37:00.000000000 +0530
+++ e2fsprogs-1.41.1/e2fsck/problem.h	2009-02-04 16:20:06.000000000 +0530
@@ -560,6 +560,9 @@
 /* Couldn't clone file (error) */
 #define PR_1D_CLONE_ERROR	0x013008
 
+/* Bad extended attribute value in inode */
+#define PR_1_INODE_EA_BAD_VALUE		0x01006D
+
 /*
  * Pass 2 errors
  */
Index: e2fsprogs-1.41.1/tests/f_bad_ea_value/expect.1
===================================================================
--- /dev/null
+++ e2fsprogs-1.41.1/tests/f_bad_ea_value/expect.1
@@ -0,0 +1,11 @@
+Pass 1: Checking inodes, blocks, and sizes
+Extended attribute in inode 13 is corrupt (invalid value).Clear? yes
+
+Pass 2: Checking directory structure
+Pass 3: Checking directory connectivity
+Pass 4: Checking reference counts
+Pass 5: Checking group summary information
+
+test_filesys: ***** FILE SYSTEM WAS MODIFIED *****
+test_filesys: 13/2048 files (0.0% non-contiguous), 1293/2048 blocks
+Exit status is 1
Index: e2fsprogs-1.41.1/tests/f_bad_ea_value/expect.2
===================================================================
--- /dev/null
+++ e2fsprogs-1.41.1/tests/f_bad_ea_value/expect.2
@@ -0,0 +1,7 @@
+Pass 1: Checking inodes, blocks, and sizes
+Pass 2: Checking directory structure
+Pass 3: Checking directory connectivity
+Pass 4: Checking reference counts
+Pass 5: Checking group summary information
+test_filesys: 13/2048 files (0.0% non-contiguous), 1293/2048 blocks
+Exit status is 0
Index: e2fsprogs-1.41.1/tests/f_bad_ea_value/name
===================================================================
--- /dev/null
+++ e2fsprogs-1.41.1/tests/f_bad_ea_value/name
@@ -0,0 +1 @@
+invalid value of in-inode EA offset
--- /dev/null	2009-02-04 10:39:50.420557047 +0530
+++ e2fsprogs-1.41.1/tests/f_bad_ea_value/image.gz	2009-02-04 13:21:18.000000000 +0530
@@ -0,0 +1,4 @@
+��image�|u�� �`�,�A@��� $���������r����'����d�	3����`��RCr6�,5����,�i���7�wI�%�>*-)͇'^��)��+N�M�q��;�>ԧ���~�<}�M�n�m��1o�ܷ����N3�S��͔fN��Y�i���]���"��'��Oh^6q
+�7�4~����o�l�*b�A�4�U��4����wz#���9��K����uF��J�����,�	�����%?��ϧK���w���t�Eƽ��mm���y�63u�q�������n������h������||�y$�%�e�>]V�Zez֒�e#�wR�[]�W�IiU�2}w�&�C��0�k5��gm&m�1m=`�����9k:���엖9n����ܾ���������ɯ,����K���0u������^�V��R�a����4�������L�������3w�t�Eƽ�I�1��y��q�NU����������WV
��0<����0m���������5��(����X����?[��:��O������ն�f�i�4cj�ڦ��i�4k�-���'_�ߺ�����:�L�ҲlDݘ�j�����]2C���tH]��r���_69௻�0��e����`������ߴ���Q��8�_��:��k�_�����`����������L�?�lB����%%s���i�4o�/�i��-�J�EҢi��xj�:�%Ry��Ω"uIK���i��-��K˧Ҋi��rZ%uK��i���^i��������`����i��a�m�6I����T���T�jҐ44
K��i�4"�L��._ٸu�Ƥ�ۦ�i��c��I�����g��I��: �J�Cҡ�x:"��JG�cұ�|:!��NJ'�Sҩ�z:#���g�sҹ�~� ]�.J�Kҥ�y�"]��JW�kҵ�.]�nH7���i|�%ݚnK��;ҝ�w�'ݛ��҃�pz$=�K��'ғ�tz&=��Kϧҋ�rz%��^K��7қ�vz'����҇�q�����}��Iߦ���n����5-�#M���i���i�&�M3���i�[�=͑����i�_���]Z0-�N��E�i�HK��J�SE꒖LK����kZ6-��O+��i�ꖺ�U��G�O���wZ3�Z�_����4(�����iôQ�m�6M����2U��:դ!ih���-�iD�jS]��N�ӘT��i۴]��L;���i״[��L{���iߴ_����H:4�OG�#��L:6��O'���J:5��NOg�3��N:7������I�4]�.OW�+��M�6]�ƥ��S�9�O��[��G�3ݕ��{��@z0=�N��G��Dz2=��NϤg��Bz1��^N��W��Fz3������A�N��Oˊ�>O_�/��M�O?���5IMS�4]j�Z����N3�S��͔fN��Y�i�3͕��y���TH�vi�PZ8-�M������)uN�KZ2-��Nˤ�iٴ\Z>��VL+����[�M���gZ=���'�~���Ӡ�NZ7����
�i��m�6O[��������iX��L[�id�MuiT��NcR}jHۤm�i��N��]�i�3�N�il��L����X:<��LG����\:>��NL'����Z:=���g����^:?]�.L����Y�<]��LW����]��O7���>ݒnM����W�;ݓ����=�M����Tz:=��Mϥ��Rz9��^M����Vz;������Q�M��E�Nߤo��C���,5IMS�4]j�Z����N3�S��͔fN��Y�i�3͕��y���TH�vi�PZ8-�M������)uN�KZ2-��Nˤ�iٴ\Z>��VL+����[�M���gZ=���'�~���Ӡ�NZ7����
�i��m�6O[��������iX��L[�id�MuiT��NcR}jHۤm�i��N��]�i�3�N�il��L����X:<��LG����\:>��NL'����Z:=���g����^:?]�.L����Y�<]��LW����]��O7���>ݒnM����W�;ݓ����=�M����Tz:=��Mϥ��Rz9��^M����Vz;������Q�M��E�Nߤo��C���5M�t�yj��O-S�f��e����3�r�)�=t�yq;�8����������K�B�}atM���W5�Tj�kF�z���j��������:���2���г����=��ӳЮ�k��w^�]�_Xn����v\��cE*//ި.�L��7�ÿ�Q����P]W�h}aH��5�Bè��¨��j�ZmXe��uCs+~������Ӕs��:c��ʪ�3�[�e*t]���0�h_]S=|L�5Յ���х��1|p��5�cj:N��k���)�����,���fCmMy�Ν�mײ����������7�K!���oT�
��;�/T�.Z_R7zhM}���������0��~��VVY;��o��+�����U�k}�
\ No newline at end of file




