Site Navigation

Date:      Sat, 18 Mar 2023 06:16:50 GMT
From:      Fedor Uporov <fsu@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 366da717deda - main - Add root directory entry check.
Message-ID:  <202303180616.32I6GovC023071@gitrepo.freebsd.org>

---

next in thread | raw e-mail | index | archive | help

---

The branch main has been updated by fsu:

URL: https://cgit.FreeBSD.org/src/commit/?id=366da717deda3964ae369f1f2fbd62114d14c587

commit 366da717deda3964ae369f1f2fbd62114d14c587
Author:     Fedor Uporov <fsu@FreeBSD.org>
AuthorDate: 2023-02-09 09:34:25 +0000
Commit:     Fedor Uporov <fsu@FreeBSD.org>
CommitDate: 2023-03-18 06:16:22 +0000

    Add root directory entry check.
    
    Add check that directory entry with ino=EXT2_ROOTINO
    have correct namelength and name. It is possible to
    create malicious image which will cause panic if root
    directory entry have incorrect name.
    
    PR:                     259068
    Reported by:            Robert Morris
    Reviewed by:            pfg
    MFC after:              2 weeks
    Differential Revision:  https://reviews.freebsd.org/D38502
---
 sys/fs/ext2fs/ext2_lookup.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sys/fs/ext2fs/ext2_lookup.c b/sys/fs/ext2fs/ext2_lookup.c
index 67409a5e2a17..93a2d172e01f 100644
--- a/sys/fs/ext2fs/ext2_lookup.c
+++ b/sys/fs/ext2fs/ext2_lookup.c
@@ -818,6 +818,8 @@ ext2_dirbad(struct inode *ip, doff_t offset, char *how)
  *	record must be large enough to contain entry
  *	name is not longer than MAXNAMLEN
  *	name must be as long as advertised, and null terminated
+ *	inode number less then inode count
+ *	if root inode entry, it have correct name
  */
 static int
 ext2_check_direntry(struct vnode *dp, struct ext2fs_direct_2 *de,
@@ -836,6 +838,11 @@ ext2_check_direntry(struct vnode *dp, struct ext2fs_direct_2 *de,
 		error_msg = "directory entry across blocks";
 	else if (le32toh(de->e2d_ino) > fs->e2fs->e2fs_icount)
 		error_msg = "directory entry inode out of bounds";
+	else if (le32toh(de->e2d_ino) == EXT2_ROOTINO &&
+	    ((de->e2d_namlen != 1 && de->e2d_namlen != 2) ||
+	    (de->e2d_name[0] != '.') ||
+	    (de->e2d_namlen == 2 && de->e2d_name[1] != '.')))
+		error_msg = "bad root directory entry";
 
 	if (error_msg != NULL) {
 		SDT_PROBE5(ext2fs, , trace, ext2_dirbadentry_error,

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202303180616.32I6GovC023071>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact