From: Theodore Ts'o <tytso@mit.edu>
Date: Thu, 12 May 2016 03:23:06 +0000 (-0400)
Subject: libext2fs: sanity check group argument to ext2fs_clear_{block,inode}_uninit()
X-Git-Tag: v1.43-WIP-2016-05-12~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3888c1e84dfe8a3d9a63f53c1f4c6ed56c391f17;p=thirdparty%2Fe2fsprogs.git

libext2fs: sanity check group argument to ext2fs_clear_{block,inode}_uninit()

Avoid a potential out-of-bounds memory access if the group passed to
ext2fs_clear_block_uninit() or ext2fs_clear_inode_uninit() is greater
than the number of groups in the file system.  This prevents a failure
in resize2fs when to allocate a block when growing the file system
significantly.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---

diff --git a/lib/ext2fs/alloc.c b/lib/ext2fs/alloc.c
index ce59e8553..f96ac4bf8 100644
--- a/lib/ext2fs/alloc.c
+++ b/lib/ext2fs/alloc.c
@@ -41,7 +41,8 @@
  */
 void ext2fs_clear_block_uninit(ext2_filsys fs, dgrp_t group)
 {
-	if (!ext2fs_has_group_desc_csum(fs) ||
+	if (group >= fs->group_desc_count ||
+	    !ext2fs_has_group_desc_csum(fs) ||
 	    !(ext2fs_bg_flags_test(fs, group, EXT2_BG_BLOCK_UNINIT)))
 		return;
 
@@ -61,7 +62,8 @@ static void check_inode_uninit(ext2_filsys fs, ext2fs_inode_bitmap map,
 {
 	ext2_ino_t	i, ino;
 
-	if (!ext2fs_has_group_desc_csum(fs) ||
+	if (group >= fs->group_desc_count ||
+	    !ext2fs_has_group_desc_csum(fs) ||
 	    !(ext2fs_bg_flags_test(fs, group, EXT2_BG_INODE_UNINIT)))
 		return;