From: Theodore Ts'o <tytso@mit.edu>
Date: Mon, 16 Oct 2017 04:28:45 +0000 (-0400)
Subject: libext2fs: fix potential memory access overrun in ext2fs_inode_csum()
X-Git-Tag: v1.43.7~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d1ccc6e58bf80d07c131f074f1222a67c82bc6af;p=thirdparty%2Fe2fsprogs.git

libext2fs: fix potential memory access overrun in ext2fs_inode_csum()

If the superblock has a revision level of 0, then s_inode_size is
undefined, and the actual inode size is 128 bytes.  This is handled by
the EXT2_INODE_SIZE() helper macro.  If s_inode_size is maliciously
set to a large value, and the s_rev_level is 0, then this could result
in an illegal memory pointer dereference.

Addresses-Debian-Bug: #878104
Reported-by: Jakub Wilk <jwilk@jwilk.net>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---

diff --git a/lib/ext2fs/csum.c b/lib/ext2fs/csum.c
index e67850fa4..093da04fe 100644
--- a/lib/ext2fs/csum.c
+++ b/lib/ext2fs/csum.c
@@ -632,7 +632,7 @@ static errcode_t ext2fs_inode_csum(ext2_filsys fs, ext2_ino_t inum,
 {
 	__u32 gen;
 	struct ext2_inode_large *desc = inode;
-	size_t size = fs->super->s_inode_size;
+	size_t size = EXT2_INODE_SIZE(fs->super);
 	__u16 old_lo;
 	__u16 old_hi = 0;