diff options
| author | Neel Chauhan <nc@FreeBSD.org> | 2021-11-16 22:59:26 +0000 |
|---|---|---|
| committer | Neel Chauhan <nc@FreeBSD.org> | 2021-11-29 17:53:45 +0000 |
| commit | 3dd3a395ba975d0fbe13320e6e69fb85b037da5e (patch) | |
| tree | 7668e23a841e59f6a41a4387e6743308a3932ec6 | |
| parent | 1910048eb931bb749c42534a8f252d772c0719de (diff) | |
| download | src-3dd3a395ba975d0fbe13320e6e69fb85b037da5e.tar.gz src-3dd3a395ba975d0fbe13320e6e69fb85b037da5e.zip | |
ext2: Check for e2fs_first_dblock in ext2_compute_sb_data()
This prevents a kernel panic on a damaged ext2 superblock.
PR: 259107
Reported by: Robert Morris <rtm@lcs.mit.edu>
Differential Revision: https://reviews.freebsd.org/D33029
| -rw-r--r-- | sys/fs/ext2fs/ext2_vfsops.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/sys/fs/ext2fs/ext2_vfsops.c b/sys/fs/ext2fs/ext2_vfsops.c index 65f429949f55..0ab0327ae074 100644 --- a/sys/fs/ext2fs/ext2_vfsops.c +++ b/sys/fs/ext2fs/ext2_vfsops.c @@ -465,6 +465,13 @@ ext2_compute_sb_data(struct vnode *devvp, struct ext2fs *es, int g_count = 0; int error; + /* Check if first dblock is valid */ + if (fs->e2fs->e2fs_bcount >= 1024 && fs->e2fs->e2fs_first_dblock) { + SDT_PROBE1(ext2fs, , vfsops, ext2_compute_sb_data_error, + "first dblock is invalid"); + return (EINVAL); + } + /* Check checksum features */ if (EXT2_HAS_RO_COMPAT_FEATURE(fs, EXT2F_ROCOMPAT_GDT_CSUM) && EXT2_HAS_RO_COMPAT_FEATURE(fs, EXT2F_ROCOMPAT_METADATA_CKSUM)) { @@ -611,7 +618,8 @@ ext2_compute_sb_data(struct vnode *devvp, struct ext2fs *es, return (EINVAL); } - if (le32toh(es->e2fs_first_dblock) >= fs->e2fs_bcount) { + if (le32toh(es->e2fs_first_dblock) != (fs->e2fs_bsize > 1024 ? 0 : 1) || + le32toh(es->e2fs_first_dblock) >= fs->e2fs_bcount) { SDT_PROBE1(ext2fs, , vfsops, ext2_compute_sb_data_error, "first data block out of range"); return (EINVAL); |