e2fsck: fix handling of a invalid symlink in an inline_data directory

If there is an inline directory that contains a directory entry to an
invalid symlink, and that invalid symlink is the portion of the inline
directory stored in an xattr portion of the inode, this can result in
a buffer overrun.

When check_dir_block() is handling the in-xattr portion of the inline
directory, it sets the buf pointer to the beginning of that part of
the inline directory.  This results in the scratch buffer passed to
e2fsck_process_bad_inode() to incorrect, resulting in a buffer overrun
if e2fsck_pass1_check_symlink() needs to read the symlink target (when
the symlink is too long to fit in the i_blocks[] space).

This commit fixes this by using the original cd->buf instead of buf,
since it can get modified when handling inline directories.

Fixes: 0ac4b3973f31 ("e2fsck: inspect inline dir data as two directory blocks")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/e2fsck/pass2.c b/e2fsck/pass2.c
index 47f9206fbcfd868b47b6c481e304dce79c16fcf0..42f3e5efbd09b0786d41cc588aa83feefcaf9e82 100644 (file)
--- a/e2fsck/pass2.c
+++ b/e2fsck/pass2.c
@@ -1523,7 +1523,7 @@ skip_checksum:
                                             dirent->inode)) {
                        if (e2fsck_process_bad_inode(ctx, ino,
                                                     dirent->inode,
-                                                    buf + fs->blocksize)) {
+                                                    cd->buf + fs->blocksize)) {
                                dirent->inode = 0;
                                dir_modified++;
                                goto next;