|
 |
e427d2 |
From 20a8dbefbc0510430aa7744692221b843b657f62 Mon Sep 17 00:00:00 2001
|
|
|
e427d2 |
From: Theodore Ts'o <tytso@mit.edu>
|
|
|
e427d2 |
Date: Tue, 14 Jan 2020 10:58:10 -0500
|
|
|
e427d2 |
Subject: [PATCH 02/46] libext2fs: fix crash in ext2fs_image_super_write() on
|
|
|
e427d2 |
Big Endian systems
|
|
|
e427d2 |
Content-Type: text/plain
|
|
|
e427d2 |
|
|
|
e427d2 |
This is a similar fix as c9a8c53b17cc ("libext2fs: fix crash in
|
|
|
e427d2 |
ext2fs_open2() on Big Endian systems").
|
|
|
e427d2 |
|
|
|
e427d2 |
Commit e6069a05: ("Teach ext2fs_open2() to honor the
|
|
|
e427d2 |
EXT2_FLAG_SUPER_ONLY flag") changed how the function
|
|
|
e427d2 |
ext2fs_group_desc() handled a request for a gdp pointer for a group
|
|
|
e427d2 |
larger than the number of groups in the file system; it now returns
|
|
|
e427d2 |
NULL, instead of returning a pointer beyond the end of the array.
|
|
|
e427d2 |
|
|
|
e427d2 |
Previously, the ext2fs_imager_super_write() function would swap all of
|
|
|
e427d2 |
the block group descriptors in a block, even if they are beyond the
|
|
|
e427d2 |
end of the file system. This was OK, since we were not overrunning
|
|
|
e427d2 |
the allocated memory, since it was rounded to a block boundary. But
|
|
|
e427d2 |
now that ext2fs_group_desc() would return NULL for those gdp, it would
|
|
|
e427d2 |
cause ext2fs_open2(), when it was byte swapping the block group
|
|
|
e427d2 |
descriptors on Big Endian systems, to dereference a null pointer and
|
|
|
e427d2 |
crash.
|
|
|
e427d2 |
|
|
|
e427d2 |
This commit adds a NULL pointer check to avoid byte swapping those
|
|
|
e427d2 |
block group descriptors in a bg descriptor block, but which are beyond
|
|
|
e427d2 |
the end of the file system, to address this crash.
|
|
|
e427d2 |
|
|
|
e427d2 |
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
e427d2 |
Reported-by: Anatoly Pugachev <matorola@gmail.com>
|
|
|
e427d2 |
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
|
|
|
e427d2 |
---
|
|
|
e427d2 |
lib/ext2fs/imager.c | 8 ++++----
|
|
|
e427d2 |
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
|
e427d2 |
|
|
|
e427d2 |
diff --git a/lib/ext2fs/imager.c b/lib/ext2fs/imager.c
|
|
|
e427d2 |
index b3ede9a8..f8d67d86 100644
|
|
|
e427d2 |
--- a/lib/ext2fs/imager.c
|
|
|
e427d2 |
+++ b/lib/ext2fs/imager.c
|
|
|
e427d2 |
@@ -249,10 +249,10 @@ errcode_t ext2fs_image_super_write(ext2_filsys fs, int fd,
|
|
|
e427d2 |
* if needed
|
|
|
e427d2 |
*/
|
|
|
e427d2 |
groups_per_block = EXT2_DESC_PER_BLOCK(fs->super);
|
|
|
e427d2 |
- gdp = (struct ext2_group_desc *) cp;
|
|
|
e427d2 |
for (j=0; j < groups_per_block*fs->desc_blocks; j++) {
|
|
|
e427d2 |
gdp = ext2fs_group_desc(fs, fs->group_desc, j);
|
|
|
e427d2 |
- ext2fs_swap_group_desc2(fs, gdp);
|
|
|
e427d2 |
+ if (gdp)
|
|
|
e427d2 |
+ ext2fs_swap_group_desc2(fs, gdp);
|
|
|
e427d2 |
}
|
|
|
e427d2 |
#endif
|
|
|
e427d2 |
|
|
|
e427d2 |
@@ -261,10 +261,10 @@ errcode_t ext2fs_image_super_write(ext2_filsys fs, int fd,
|
|
|
e427d2 |
|
|
|
e427d2 |
#ifdef WORDS_BIGENDIAN
|
|
|
e427d2 |
groups_per_block = EXT2_DESC_PER_BLOCK(fs->super);
|
|
|
e427d2 |
- gdp = (struct ext2_group_desc *) cp;
|
|
|
e427d2 |
for (j=0; j < groups_per_block*fs->desc_blocks; j++) {
|
|
|
e427d2 |
gdp = ext2fs_group_desc(fs, fs->group_desc, j);
|
|
|
e427d2 |
- ext2fs_swap_group_desc2(fs, gdp);
|
|
|
e427d2 |
+ if (gdp)
|
|
|
e427d2 |
+ ext2fs_swap_group_desc2(fs, gdp);
|
|
|
e427d2 |
}
|
|
|
e427d2 |
#endif
|
|
|
e427d2 |
|
|
|
e427d2 |
--
|
|
|
e427d2 |
2.35.1
|
|
|
e427d2 |
|