e2fsck: added sanity check for xattr validation

Add an extra validity test in check_ext_attr().  If an attribute's
e_value_size is zero the current code does not allocate a region for it
and as a result the e_value_offs value is not verified.  However, if
e_value_offs is very large then the later call to
ext2fs_ext_attr_hash_entry() can dereference bad memory and crash
e2fsck.

Signed-off-by: Andreas Dilger <adilger@clusterfs.com>
Signed-off-by: Jim Garlick <garlick@llnl.gov>

2 files changed, 15 insertions, 0 deletions

diff --git a/e2fsck/ChangeLog b/e2fsck/ChangeLog
index 3fbeef2d..06fa905e 100644
--- a/e2fsck/ChangeLog
+++ b/e2fsck/ChangeLog
@@ -1,3 +1,13 @@
+2007-06-22  Theodore Tso  <tytso@mit.edu>
+
+	* pass1.c (check_ext_attr): Adds an extra validity test in
+		check_ext_attr().  If an attribute's e_value_size is zero
+		the current code does not allocate a region for it and as
+		a result the e_value_offs value is not verified.  However,
+		if e_value_offs is very large then the later call to
+		ext2fs_ext_attr_hash_entry() can dereference bad memory
+		and crash e2fsck.
+
 2007-06-18  Theodore Tso  <tytso@mit.edu>
 
 	* journal.c (e2fsck_run_ext3_journal), unix.c (main): Explicitly
diff --git a/e2fsck/pass1.c b/e2fsck/pass1.c
index 8f5a314d..bed1ec89 100644
--- a/e2fsck/pass1.c
+++ b/e2fsck/pass1.c
@@ -1380,6 +1380,11 @@ static int check_ext_attr(e2fsck_t ctx, struct problem_context *pctx,
 			if (fix_problem(ctx, PR_1_EA_BAD_VALUE, pctx))
 				goto clear_extattr;
 		}
+		if (entry->e_value_offs + entry->e_value_size > fs->blocksize) {
+			if (fix_problem(ctx, PR_1_EA_BAD_VALUE, pctx))
+				goto clear_extattr;
+			break;
+		}
 		if (entry->e_value_size &&
 		    region_allocate(region, entry->e_value_offs,
 				    EXT2_EXT_ATTR_SIZE(entry->e_value_size))) {