# HG changeset patch
# User tytso@mit.edu
# Date 1182493358 14400
# Node ID 702632e66380e459f60b238570edd1e911dd46bc
# Parent 17c2ad1542e716779e127b5db35879c391ac6282
e2fsck: added sanity check for xattr validation

Add an extra validity test in check_ext_attr().  If an attribute's
e_value_size is zero the current code does not allocate a region for it
and as a result the e_value_offs value is not verified.  However, if
e_value_offs is very large then the later call to
ext2fs_ext_attr_hash_entry() can dereference bad memory and crash
e2fsck.

Signed-off-by: Andreas Dilger <adilger@clusterfs.com>
Signed-off-by: Jim Garlick <garlick@llnl.gov>

--- a/e2fsck/ChangeLog	Thu Jun 21 13:43:33 2007 -0400
+++ b/e2fsck/ChangeLog	Fri Jun 22 02:22:38 2007 -0400
@@ -1,3 +1,13 @@ 2007-06-18  Theodore Tso  <tytso@mit.edu
+2007-06-22  Theodore Tso  <tytso@mit.edu>
+
+	* pass1.c (check_ext_attr): Adds an extra validity test in
+		check_ext_attr().  If an attribute's e_value_size is zero
+		the current code does not allocate a region for it and as
+		a result the e_value_offs value is not verified.  However,
+		if e_value_offs is very large then the later call to
+		ext2fs_ext_attr_hash_entry() can dereference bad memory
+		and crash e2fsck.
+
 2007-06-18  Theodore Tso  <tytso@mit.edu>
 
 	* journal.c (e2fsck_run_ext3_journal), unix.c (main): Explicitly
--- a/e2fsck/pass1.c	Thu Jun 21 13:43:33 2007 -0400
+++ b/e2fsck/pass1.c	Fri Jun 22 02:22:38 2007 -0400
@@ -1380,6 +1380,11 @@ static int check_ext_attr(e2fsck_t ctx, 
 			if (fix_problem(ctx, PR_1_EA_BAD_VALUE, pctx))
 				goto clear_extattr;
 		}
+		if (entry->e_value_offs + entry->e_value_size > fs->blocksize) {
+			if (fix_problem(ctx, PR_1_EA_BAD_VALUE, pctx))
+				goto clear_extattr;
+			break;
+		}
 		if (entry->e_value_size &&
 		    region_allocate(region, entry->e_value_offs,
 				    EXT2_EXT_ATTR_SIZE(entry->e_value_size))) {