From: Artemiy Volkov <artemiyv@acm.org>
Date: Mon, 30 Nov 2015 17:03:52 +0000 (-0500)
Subject: e2fsck: do not read EA header beyond the end of an inode
X-Git-Tag: android-x86-8.1-r1~49^2^2^2^2~28^2~20
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=2b833c9aae3323745af3fdc998d8b3255f40511e;p=android-x86%2Fexternal-e2fsprogs.git

e2fsck: do not read EA header beyond the end of an inode

In check_inode_extra_space(), if we attempt to read an EA header at
the end of the extra space, in a corrupted filesystem it may result in
a read beyond the bounds of the inode. Add a check to prevent this.

Reproduced by running ./test_one --valgrind f_write_ea_toobig_extra_isize.

Signed-off-by: Artemiy Volkov <artemiyv@acm.org>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Acked-by: Darrick J. Wong <darrick.wong@oracle.com>
---

diff --git a/e2fsck/pass1.c b/e2fsck/pass1.c
index ac3ea4eb..66ff69a3 100644
--- a/e2fsck/pass1.c
+++ b/e2fsck/pass1.c
@@ -382,6 +382,10 @@ static void check_inode_extra_space(e2fsck_t ctx, struct problem_context *pctx)
 		return;
 	}
 
+	/* check if there is no place for an EA header */
+	if (inode->i_extra_isize >= max - sizeof(__u32))
+		return;
+
 	eamagic = (__u32 *) (((char *) inode) + EXT2_GOOD_OLD_INODE_SIZE +
 			inode->i_extra_isize);
 	if (*eamagic == EXT2_EXT_ATTR_MAGIC) {