From: Theodore Ts'o <tytso@mit.edu>
Date: Mon, 17 Jul 2017 23:55:39 +0000 (-0400)
Subject: libext2fs: fix the s_log_block_size check in ext2fs_open()
X-Git-Tag: v1.43.5~33
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=74da94f3bf240bb8ad1b57a94a8f94fa3050e906;p=thirdparty%2Fe2fsprogs.git

libext2fs: fix the s_log_block_size check in ext2fs_open()

The s_log_block_check can fail to detect an invalid value if it is
between UINT_MAX-9 and UINT_MAX, which can lead to ext2fs_open()
crashing with a division by zero error.

This bug was found using American Fuzzy Lop: http://lcamtuf.coredump.cx/afl/

Addresses-Debian-Bug: #868489

Reported-by: jwilk@jwilk.net
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---

diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c
index 93b02ed86..0362b2839 100644
--- a/lib/ext2fs/openfs.c
+++ b/lib/ext2fs/openfs.c
@@ -275,8 +275,8 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
 		}
 	}
 
-	if ((fs->super->s_log_block_size + EXT2_MIN_BLOCK_LOG_SIZE) >
-	    EXT2_MAX_BLOCK_LOG_SIZE) {
+	if (fs->super->s_log_block_size >
+	    (unsigned) (EXT2_MAX_BLOCK_LOG_SIZE - EXT2_MIN_BLOCK_LOG_SIZE)) {
 		retval = EXT2_ET_CORRUPT_SUPERBLOCK;
 		goto cleanup;
 	}