From: Zhang Yi <yi.zhang@xxxxxxxxxx>
Check s_head in the journal superblock and fix it if this value is out
of bounds.
Signed-off-by: Zhang Yi <yi.zhang@xxxxxxxxxx>
---
debugfs/journal.c | 5 +++++
e2fsck/journal.c | 9 +++++++++
2 files changed, 14 insertions(+)
diff --git a/debugfs/journal.c b/debugfs/journal.c
index 5bc7552d..1eef3bca 100644
--- a/debugfs/journal.c
+++ b/debugfs/journal.c
@@ -631,6 +631,11 @@ static errcode_t ext2fs_journal_load(journal_t *journal)
else if (ntohl(jsb->s_maxlen) > journal->j_total_len)
return EXT2_ET_CORRUPT_JOURNAL_SB;
+ if (jsb->s_head != 0 &&
+ (ntohl(jsb->s_head) < ntohl(jsb->s_first) ||
+ ntohl(jsb->s_head) >= journal->j_total_len))
+ return EXT2_ET_CORRUPT_JOURNAL_SB;
+
journal->j_tail_sequence = ntohl(jsb->s_sequence);
journal->j_transaction_sequence = journal->j_tail_sequence;
journal->j_tail = ntohl(jsb->s_start);
diff --git a/e2fsck/journal.c b/e2fsck/journal.c
index 8950446f..4b9f00ce 100644
--- a/e2fsck/journal.c
+++ b/e2fsck/journal.c
@@ -1374,6 +1374,15 @@ static errcode_t e2fsck_journal_load(journal_t *journal)
return EXT2_ET_CORRUPT_JOURNAL_SB;
}
+ if (jsb->s_head != 0 &&
+ (ntohl(jsb->s_head) < ntohl(jsb->s_first) ||
+ ntohl(jsb->s_head) >= journal->j_total_len)) {
+ com_err(ctx->program_name, EXT2_ET_CORRUPT_JOURNAL_SB,
+ _("%s, journal head out of bounds\n"),
+ ctx->device_name);
+ return EXT2_ET_CORRUPT_JOURNAL_SB;
+ }
+
journal->j_tail_sequence = ntohl(jsb->s_sequence);
journal->j_transaction_sequence = journal->j_tail_sequence;
journal->j_tail = ntohl(jsb->s_start);
--
2.31.1
