From: Yu Watanabe Date: Tue, 2 May 2023 16:29:08 +0000 (+0900) Subject: sd-journal: check .next_entry_array_offset earlier X-Git-Tag: v254-rc1~571^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b5335da7a54d6597a1539b56b5a0cb1f8d36dfdd;p=thirdparty%2Fsystemd.git sd-journal: check .next_entry_array_offset earlier Then, if it is invalid, refuse to use the entry array object. Follow-up for a8fbcc0e3c033a43e511550052cace6b0dcf3df7. Fixes #27489. --- diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c index 501e7276b6d..8827e9b939b 100644 --- a/src/libsystemd/sd-journal/journal-file.c +++ b/src/libsystemd/sd-journal/journal-file.c @@ -924,7 +924,7 @@ static int check_object(JournalFile *f, Object *o, uint64_t offset) { } case OBJECT_ENTRY_ARRAY: { - uint64_t sz; + uint64_t sz, next; sz = le64toh(READ_NOW(o->object.size)); if (sz < offsetof(Object, entry_array.items) || @@ -934,11 +934,12 @@ static int check_object(JournalFile *f, Object *o, uint64_t offset) { "Invalid object entry array size: %" PRIu64 ": %" PRIu64, sz, offset); - - if (!VALID64(le64toh(o->entry_array.next_entry_array_offset))) + /* Here, we request that the offset of each entry array object is in strictly increasing order. */ + next = le64toh(o->entry_array.next_entry_array_offset); + if (!VALID64(next) || (next > 0 && next <= offset)) return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), - "Invalid object entry array next_entry_array_offset: " OFSfmt ": %" PRIu64, - le64toh(o->entry_array.next_entry_array_offset), + "Invalid object entry array next_entry_array_offset: %" PRIu64 ": %" PRIu64, + next, offset); break;