| From 8dd73c149f418238f19791f9d666089ef9734dff Mon Sep 17 00:00:00 2001 |
| From: Theodore Ts'o <tytso@mit.edu> |
| Date: Thu, 19 Dec 2019 19:37:34 -0500 |
| Subject: [PATCH] e2fsck: abort if there is a corrupted directory block when |
| rehashing |
| |
| In e2fsck pass 3a, when we are rehashing directories, at least in |
| theory, all of the directories should have had corruptions with |
| respect to directory entry structure fixed. However, it's possible |
| (for example, if the user declined a fix) that we can reach this stage |
| of processing with a corrupted directory entries. |
| |
| So check for that case and don't try to process a corrupted directory |
| block so we don't run into trouble in mutate_name() if there is a |
| zero-length file name. |
| |
| Addresses: TALOS-2019-0973 |
| Addresses: CVE-2019-5188 |
| Signed-off-by: Theodore Ts'o <tytso@mit.edu> |
| |
| CVE: CVE-2019-5188 |
| Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> |
| Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=8dd73c149f418238f19791f9d666089ef9734dff] |
| --- |
| e2fsck/rehash.c | 9 +++++++++ |
| 1 file changed, 9 insertions(+) |
| |
| diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c |
| index a5fc1be1..3dd1e941 100644 |
| --- a/e2fsck/rehash.c |
| +++ b/e2fsck/rehash.c |
| @@ -160,6 +160,10 @@ static int fill_dir_block(ext2_filsys fs, |
| dir_offset += rec_len; |
| if (dirent->inode == 0) |
| continue; |
| + if ((name_len) == 0) { |
| + fd->err = EXT2_ET_DIR_CORRUPTED; |
| + return BLOCK_ABORT; |
| + } |
| if (!fd->compress && (name_len == 1) && |
| (dirent->name[0] == '.')) |
| continue; |
| @@ -401,6 +405,11 @@ static int duplicate_search_and_fix(e2fsck_t ctx, ext2_filsys fs, |
| continue; |
| } |
| new_len = ext2fs_dirent_name_len(ent->dir); |
| + if (new_len == 0) { |
| + /* should never happen */ |
| + ext2fs_unmark_valid(fs); |
| + continue; |
| + } |
| memcpy(new_name, ent->dir->name, new_len); |
| mutate_name(new_name, &new_len); |
| for (j=0; j < fd->num_array; j++) { |
| -- |
| 2.24.1 |
| |