|
 |
f239de |
From db2efc9e0a8cdb70afc8dd7c9621da9376da7afb Mon Sep 17 00:00:00 2001
|
|
|
f239de |
From: Theodore Ts'o <tytso@mit.edu>
|
|
|
f239de |
Date: Thu, 26 Dec 2019 23:19:54 -0500
|
|
|
f239de |
Subject: [PATCH 01/46] libext2fs: fix crash in ext2fs_open2() on Big Endian
|
|
|
f239de |
systems
|
|
|
f239de |
Content-Type: text/plain
|
|
|
f239de |
|
|
|
f239de |
Commit e6069a05: ("Teach ext2fs_open2() to honor the
|
|
|
f239de |
EXT2_FLAG_SUPER_ONLY flag") changed how the function
|
|
|
f239de |
ext2fs_group_desc() handled a request for a gdp pointer for a group
|
|
|
f239de |
larger than the number of groups in the file system; it now returns
|
|
|
f239de |
NULL, instead of returning a pointer beyond the end of the array.
|
|
|
f239de |
|
|
|
f239de |
Previously, the ext2fs_open2() function would swap all of the block
|
|
|
f239de |
group descriptors in a block, even if they are beyond the end of the
|
|
|
f239de |
file system. This was OK, since we were not overrunning the allocated
|
|
|
f239de |
memory, since it was rounded to a block boundary. But now that
|
|
|
f239de |
ext2fs_group_desc() would return NULL for those gdp, it would cause
|
|
|
f239de |
ext2fs_open2(), when it was byte swapping the block group descriptors
|
|
|
f239de |
on Big Endian systems, to dereference a null pointer and crash.
|
|
|
f239de |
|
|
|
f239de |
This commit adds a NULL pointer check to avoid byte swapping those
|
|
|
f239de |
block group descriptors in a bg descriptor block, but which are beyond
|
|
|
f239de |
the end of the file system, to address this crash.
|
|
|
f239de |
|
|
|
f239de |
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
f239de |
Reported-by: Anatoly Pugachev <matorola@gmail.com>
|
|
|
f239de |
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
|
|
|
f239de |
---
|
|
|
f239de |
lib/ext2fs/openfs.c | 6 ++++--
|
|
|
f239de |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
f239de |
|
|
|
f239de |
diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c
|
|
|
f239de |
index 51b54a44..e457ce1a 100644
|
|
|
f239de |
--- a/lib/ext2fs/openfs.c
|
|
|
f239de |
+++ b/lib/ext2fs/openfs.c
|
|
|
f239de |
@@ -433,7 +433,8 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
|
|
|
f239de |
gdp = (struct ext2_group_desc *) dest;
|
|
|
f239de |
for (j=0; j < groups_per_block*first_meta_bg; j++) {
|
|
|
f239de |
gdp = ext2fs_group_desc(fs, fs->group_desc, j);
|
|
|
f239de |
- ext2fs_swap_group_desc2(fs, gdp);
|
|
|
f239de |
+ if (gdp)
|
|
|
f239de |
+ ext2fs_swap_group_desc2(fs, gdp);
|
|
|
f239de |
}
|
|
|
f239de |
#endif
|
|
|
f239de |
dest += fs->blocksize*first_meta_bg;
|
|
|
f239de |
@@ -453,7 +454,8 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
|
|
|
f239de |
for (j=0; j < groups_per_block; j++) {
|
|
|
f239de |
gdp = ext2fs_group_desc(fs, fs->group_desc,
|
|
|
f239de |
i * groups_per_block + j);
|
|
|
f239de |
- ext2fs_swap_group_desc2(fs, gdp);
|
|
|
f239de |
+ if (gdp)
|
|
|
f239de |
+ ext2fs_swap_group_desc2(fs, gdp);
|
|
|
f239de |
}
|
|
|
f239de |
#endif
|
|
|
f239de |
dest += fs->blocksize;
|
|
|
f239de |
--
|
|
|
f239de |
2.35.1
|
|
|
f239de |
|