e2fsck: sanity check the journal inode number

E2fsck replays the journal before sanity checking the full superblock.
So it's possible that the journal inode number is not valid relative
to the number of block groups.  So to avoid potentially an array
bounds overrun, sanity check this before trying to find the journal
inode.

Reported-by: Nils Bars <nils.bars@rub.de>
Reported-by: Moritz Schlögel <moritz.schloegel@rub.de>
Reported-by: Nico Schiller <nico.schiller@rub.de>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/e2fsck/journal.c b/e2fsck/journal.c
index 2e867234b8d1c99af6a27216ebb842567764af84..12487e3d8d798a5ff3c784d146ada5949fe5d2cf 100644 (file)
--- a/e2fsck/journal.c
+++ b/e2fsck/journal.c
@@ -989,7 +989,14 @@ static errcode_t e2fsck_get_journal(e2fsck_t ctx, journal_t **ret_journal)
        journal->j_blocksize = ctx->fs->blocksize;
 
        if (uuid_is_null(sb->s_journal_uuid)) {
-               if (!sb->s_journal_inum) {
+               /*
+                * The full set of superblock sanity checks haven't
+                * been performed yet, so we need to do some basic
+                * checks here to avoid potential array overruns.
+                */
+               if (!sb->s_journal_inum ||
+                   (sb->s_journal_inum >
+                    (ctx->fs->group_desc_count * sb->s_inodes_per_group))) {
                        retval = EXT2_ET_BAD_INODE_NUM;
                        goto errout;
                }