From: Darrick J. Wong Date: Thu, 17 Jul 2025 14:59:33 +0000 (-0700) Subject: libext2fs: fix data read corruption in ext2fs_file_read_inline_data X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=10d7761527fa0778a64ea5cf3482744869dbb3a7;p=thirdparty%2Fe2fsprogs.git libext2fs: fix data read corruption in ext2fs_file_read_inline_data Fix numerous problems in the function that reads data from an inlinedata file: - Reads starting after isize should be returned as short reads. - Reads past the end of the inline data should return zeroes. - Reads from the inline data buffer must not exceed isize. Cc: linux-ext4@vger.kernel.org # v1.43 Fixes: 54e880b870f7fe ("libext2fs: handle inline data in read/write function") Signed-off-by: Darrick J. Wong Link: https://lore.kernel.org/r/20250717145933.GI2672022@frogsfrogsfrogs Signed-off-by: Theodore Ts'o --- diff --git a/lib/ext2fs/fileio.c b/lib/ext2fs/fileio.c index 818f7f05..900002c5 100644 --- a/lib/ext2fs/fileio.c +++ b/lib/ext2fs/fileio.c @@ -255,18 +255,26 @@ ext2fs_file_read_inline_data(ext2_file_t file, void *buf, unsigned int wanted, unsigned int *got) { ext2_filsys fs; - errcode_t retval; + errcode_t retval = 0; unsigned int count = 0; + uint64_t isize = EXT2_I_SIZE(&file->inode); size_t size; + if (file->pos >= isize) + goto out; + fs = file->fs; retval = ext2fs_inline_data_get(fs, file->ino, &file->inode, file->buf, &size); if (retval) return retval; - if (file->pos >= size) - goto out; + /* + * size is the number of bytes available for inline data storage, which + * means it can exceed isize. + */ + if (size > isize) + size = isize; count = size - file->pos; if (count > wanted) @@ -275,6 +283,14 @@ ext2fs_file_read_inline_data(ext2_file_t file, void *buf, file->pos += count; buf = (char *) buf + count; + /* zero-fill the rest of the buffer */ + wanted -= count; + if (wanted > 0) { + memset(buf, 0, wanted); + file->pos += wanted; + count += wanted; + } + out: if (got) *got = count;