diff options
author | Fedor Uporov <fsu@FreeBSD.org> | 2023-02-09 09:34:25 +0000 |
---|---|---|
committer | Fedor Uporov <fsu@FreeBSD.org> | 2023-03-18 06:16:22 +0000 |
commit | 366da717deda3964ae369f1f2fbd62114d14c587 (patch) | |
tree | 1b6347f543d910f402d17f42b902ffccbe309587 /sys | |
parent | 6b49a630f441e1a9e8c8e57d2bb71e589d95872c (diff) | |
download | src-366da717deda3964ae369f1f2fbd62114d14c587.tar.gz src-366da717deda3964ae369f1f2fbd62114d14c587.zip |
Add root directory entry check.
Add check that directory entry with ino=EXT2_ROOTINO
have correct namelength and name. It is possible to
create malicious image which will cause panic if root
directory entry have incorrect name.
PR: 259068
Reported by: Robert Morris
Reviewed by: pfg
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D38502
Diffstat (limited to 'sys')
-rw-r--r-- | sys/fs/ext2fs/ext2_lookup.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/fs/ext2fs/ext2_lookup.c b/sys/fs/ext2fs/ext2_lookup.c index 67409a5e2a17..93a2d172e01f 100644 --- a/sys/fs/ext2fs/ext2_lookup.c +++ b/sys/fs/ext2fs/ext2_lookup.c @@ -818,6 +818,8 @@ ext2_dirbad(struct inode *ip, doff_t offset, char *how) * record must be large enough to contain entry * name is not longer than MAXNAMLEN * name must be as long as advertised, and null terminated + * inode number less then inode count + * if root inode entry, it have correct name */ static int ext2_check_direntry(struct vnode *dp, struct ext2fs_direct_2 *de, @@ -836,6 +838,11 @@ ext2_check_direntry(struct vnode *dp, struct ext2fs_direct_2 *de, error_msg = "directory entry across blocks"; else if (le32toh(de->e2d_ino) > fs->e2fs->e2fs_icount) error_msg = "directory entry inode out of bounds"; + else if (le32toh(de->e2d_ino) == EXT2_ROOTINO && + ((de->e2d_namlen != 1 && de->e2d_namlen != 2) || + (de->e2d_name[0] != '.') || + (de->e2d_namlen == 2 && de->e2d_name[1] != '.'))) + error_msg = "bad root directory entry"; if (error_msg != NULL) { SDT_PROBE5(ext2fs, , trace, ext2_dirbadentry_error, |