Add root directory entry check.

Add check that directory entry with ino=EXT2_ROOTINO
have correct namelength and name. It is possible to
create malicious image which will cause panic if root
directory entry have incorrect name.

PR:			259068
Reported by:		Robert Morris
Reviewed by:		pfg
MFC after:		2 weeks
Differential Revision:  https://reviews.freebsd.org/D38502

1 files changed, 7 insertions, 0 deletions

diff --git a/sys/fs/ext2fs/ext2_lookup.c b/sys/fs/ext2fs/ext2_lookup.c
index 67409a5e2a17..93a2d172e01f 100644
--- a/sys/fs/ext2fs/ext2_lookup.c
+++ b/sys/fs/ext2fs/ext2_lookup.c
@@ -818,6 +818,8 @@ ext2_dirbad(struct inode *ip, doff_t offset, char *how)
  *	record must be large enough to contain entry
  *	name is not longer than MAXNAMLEN
  *	name must be as long as advertised, and null terminated
+ *	inode number less then inode count
+ *	if root inode entry, it have correct name
  */
 static int
 ext2_check_direntry(struct vnode *dp, struct ext2fs_direct_2 *de,
@@ -836,6 +838,11 @@ ext2_check_direntry(struct vnode *dp, struct ext2fs_direct_2 *de,
 		error_msg = "directory entry across blocks";
 	else if (le32toh(de->e2d_ino) > fs->e2fs->e2fs_icount)
 		error_msg = "directory entry inode out of bounds";
+	else if (le32toh(de->e2d_ino) == EXT2_ROOTINO &&
+	    ((de->e2d_namlen != 1 && de->e2d_namlen != 2) ||
+	    (de->e2d_name[0] != '.') ||
+	    (de->e2d_namlen == 2 && de->e2d_name[1] != '.')))
+		error_msg = "bad root directory entry";
 
 	if (error_msg != NULL) {
 		SDT_PROBE5(ext2fs, , trace, ext2_dirbadentry_error,