On Sat, Jul 15, 2017 at 11:03:10PM +0200, Jakub Wilk wrote:
> Package: e2fsprogs
> Version: 1.43.4-2
>
> e2fsck crashes when checking the attached filesystem:
Thanks for reporting this bug! I have a fix commited in my tree which
will be released in the next version of e2fsprogs.
- Ted
>From 74da94f3bf240bb8ad1b57a94a8f94fa3050e906 Mon Sep 17 00:00:00 2001
From: Theodore Ts'o <ty...@mit.edu>
Date: Mon, 17 Jul 2017 19:55:39 -0400
Subject: [PATCH] libext2fs: fix the s_log_block_size check in ext2fs_open()
The s_log_block_check can fail to detect an invalid value if it is
between UINT_MAX-9 and UINT_MAX, which can lead to ext2fs_open()
crashing with a division by zero error.
This bug was found using American Fuzzy Lop: http://lcamtuf.coredump.cx/afl/
Addresses-Debian-Bug: #868489
Reported-by: jw...@jwilk.net
Signed-off-by: Theodore Ts'o <ty...@mit.edu>
---
lib/ext2fs/openfs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c
index 93b02ed86..0362b2839 100644
--- a/lib/ext2fs/openfs.c
+++ b/lib/ext2fs/openfs.c
@@ -275,8 +275,8 @@ errcode_t ext2fs_open2(const char *name, const char
*io_options,
}
}
- if ((fs->super->s_log_block_size + EXT2_MIN_BLOCK_LOG_SIZE) >
- EXT2_MAX_BLOCK_LOG_SIZE) {
+ if (fs->super->s_log_block_size >
+ (unsigned) (EXT2_MAX_BLOCK_LOG_SIZE - EXT2_MIN_BLOCK_LOG_SIZE)) {
retval = EXT2_ET_CORRUPT_SUPERBLOCK;
goto cleanup;
}
--
2.11.0.rc0.7.gbe5a750
