From 265fcf9204fd06f574578ebe780f24e62bac2e86 Mon Sep 17 00:00:00 2001

From: Lukas Czerner <lczerner@redhat.com>

Date: Thu, 21 Apr 2022 19:31:48 +0200

Subject: [PATCH 1/2] libext2fs: add sanity check to extent manipulation

Content-Type: text/plain

It is possible to have a corrupted extent tree in such a way that a leaf

node contains zero extents in it. Currently if that happens and we try

to traverse the tree we can end up accessing wrong data, or possibly

even uninitialized memory. Make sure we don't do that.

Additionally make sure that we have a sane number of bytes passed to

memmove() in ext2fs_extent_delete().

Note that e2fsck is currently unable to spot and fix such corruption in

pass1.

Signed-off-by: Lukas Czerner <lczerner@redhat.com>

Reported-by: Nils Bars <nils_bars@t-online.de>

Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2068113

Addresses: CVE-2022-1304

Addresses-Debian-Bug: #1010263

Signed-off-by: Theodore Ts'o <tytso@mit.edu>

---

 lib/ext2fs/extent.c | 8 ++++++++

 1 file changed, 8 insertions(+)

diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c

index ac3dbfec..a1b1905c 100644

--- a/lib/ext2fs/extent.c

+++ b/lib/ext2fs/extent.c

@@ -495,6 +495,10 @@ retry:

 			ext2fs_le16_to_cpu(eh->eh_entries);

 		newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max);

+		/* Make sure there is at least one extent present */

+		if (newpath->left <= 0)

+			return EXT2_ET_EXTENT_NO_DOWN;

+

 		if (path->left > 0) {

 			ix++;

 			newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block);

@@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags)

 	cp = path->curr;

+	/* Sanity check before memmove() */

+	if (path->left < 0)

+		return EXT2_ET_EXTENT_LEAF_BAD;

+

 	if (path->left) {

 		memmove(cp, cp + sizeof(struct ext3_extent_idx),

 			path->left * sizeof(struct ext3_extent_idx));

-- 

2.35.1