libext2fs: add sanity checks for ea_in_inode

An inode containing the value for an extended attribute (aka an
ea_in_inode) must not have the INLINE_DATA flag and must have the
EA_INODE flag set.  Enforcing this prevents e2fsck and debugfs crashes
caused by a maliciously crafted file system containing an inode which
has both the EA_INODE and INLINE_DATA flags set, and where that inode
has an extended attribute whose e_value_inum points to itself.

Reported-by: Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/e2fsck/pass1.c b/e2fsck/pass1.c
index fccd8816ad12d57ceca99d727df10db653b59772..69b3f09e7f5459f19e0a0a10fe4ac2502daed312 100644 (file)
--- a/e2fsck/pass1.c
+++ b/e2fsck/pass1.c
@@ -1542,6 +1542,7 @@ void e2fsck_pass1(e2fsck_t ctx)
                        case EXT2_ET_NO_INLINE_DATA:
                        case EXT2_ET_EXT_ATTR_CSUM_INVALID:
                        case EXT2_ET_EA_BAD_VALUE_OFFSET:
+                       case EXT2_ET_EA_INODE_CORRUPTED:
                                /* broken EA or no system.data EA; truncate */
                                if (fix_problem(ctx, PR_1_INLINE_DATA_NO_ATTR,
                                                &pctx)) {

diff --git a/lib/ext2fs/ext2_err.et.in b/lib/ext2fs/ext2_err.et.in
index ac96964d93d028b5083f5694124502f601daf18f..16abd23d8133daebff81a1055f1662dd1cf34f1f 100644 (file)
--- a/lib/ext2fs/ext2_err.et.in
+++ b/lib/ext2fs/ext2_err.et.in
@@ -542,4 +542,7 @@ ec  EXT2_ET_CORRUPT_JOURNAL_SB,
 ec     EXT2_ET_INODE_CORRUPTED,
        "Inode is corrupted"
 
+ec     EXT2_ET_EA_INODE_CORRUPTED,
+       "Inode containing extended attribute value is corrupted"
+
        end

diff --git a/lib/ext2fs/ext_attr.c b/lib/ext2fs/ext_attr.c
index 89c5f2cb6baa52387f8172f5ea74df4f9b55aaf1..81b067ad55fd66ea7c0583d001a12cc2c6fe786c 100644 (file)
--- a/lib/ext2fs/ext_attr.c
+++ b/lib/ext2fs/ext_attr.c
@@ -903,6 +903,7 @@ static errcode_t read_xattrs_from_buffer(struct ext2_xattr_handle *handle,
                        memcpy(x->value, value_start + entry->e_value_offs,
                               entry->e_value_size);
                } else {
+                       struct ext2_inode *ea_inode;
                        ext2_file_t ea_file;
 
                        if (entry->e_value_offs != 0)
@@ -920,7 +921,12 @@ static errcode_t read_xattrs_from_buffer(struct ext2_xattr_handle *handle,
                        if (err)
                                return err;
 
-                       if (ext2fs_file_get_size(ea_file) !=
+                       ea_inode = ext2fs_file_get_inode(ea_file);
+                       if ((ea_inode->i_flags & EXT4_INLINE_DATA_FL) ||
+                           !(ea_inode->i_flags & EXT4_EA_INODE_FL) ||
+                           ea_inode->i_links_count == 0)
+                               err = EXT2_ET_EA_INODE_CORRUPTED;
+                       else if (ext2fs_file_get_size(ea_file) !=
                            entry->e_value_size)
                                err = EXT2_ET_EA_BAD_VALUE_SIZE;
                        else