From 8a51e038d172c3405466ddb60d712c2ac934b954 Mon Sep 17 00:00:00 2001

From: Theodore Ts'o <tytso@mit.edu>

Date: Thu, 19 Dec 2019 19:37:34 -0500

Subject: [PATCH 07/10] e2fsck: abort if there is a corrupted directory block

 when rehashing

In e2fsck pass 3a, when we are rehashing directories, at least in

theory, all of the directories should have had corruptions with

respect to directory entry structure fixed.  However, it's possible

(for example, if the user declined a fix) that we can reach this stage

of processing with a corrupted directory entries.

So check for that case and don't try to process a corrupted directory

block so we don't run into trouble in mutate_name() if there is a

zero-length file name.

Addresses: TALOS-2019-0973

Addresses: CVE-2019-5188

Signed-off-by: Theodore Ts'o <tytso@mit.edu>

---

 e2fsck/rehash.c | 9 +++++++++

 1 file changed, 9 insertions(+)

diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c

index a5fc1be1..3dd1e941 100644

--- a/e2fsck/rehash.c

+++ b/e2fsck/rehash.c

@@ -160,6 +160,10 @@ static int fill_dir_block(ext2_filsys fs,

 		dir_offset += rec_len;

 		if (dirent->inode == 0)

 			continue;

+		if ((name_len) == 0) {

+			fd->err = EXT2_ET_DIR_CORRUPTED;

+			return BLOCK_ABORT;

+		}

 		if (!fd->compress && (name_len == 1) &&

 		    (dirent->name[0] == '.'))

 			continue;

@@ -401,6 +405,11 @@ static int duplicate_search_and_fix(e2fsck_t ctx, ext2_filsys fs,

 			continue;

 		}

 		new_len = ext2fs_dirent_name_len(ent->dir);

+		if (new_len == 0) {

+			 /* should never happen */

+			ext2fs_unmark_valid(fs);

+			continue;

+		}

 		memcpy(new_name, ent->dir->name, new_len);

 		mutate_name(new_name, &new_len);

 		for (j=0; j < fd->num_array; j++) {

-- 

2.21.1