svn commit: r343517 - stable/11/sys/fs/ext2fs

Pedro F. Giffuni pfg at FreeBSD.org
Mon Jan 28 02:12:49 UTC 2019 

Author: pfg
Date: Mon Jan 28 02:12:48 2019
New Revision: 343517
URL: https://svnweb.freebsd.org/changeset/base/343517

Log:
  MFC r343459: (parcial)
  ext2fs: Add some extra consistency checks for the superblock.
  
  Maliciously formed, or badly corrupted, filesystems can cause kernel
  panics.  In general, such acts of foot-shooting can only be accomplished
  by root, but in a world with VM images that is  moving towards automated
  mounts it is important to have some form of prevention.
  
  Reported by: Christopher Krah, Thomas Barabosch, and Jan-Niclas Hilgert
  of Fraunhofer FKIE.
  Incidentaly this should also fix a memory corruption issue reported by
  Dr Silvio Cesare of InfoSect.
  
  Huge thanks to all reseachers for making us aware of the issue.
  
  Note: for the MFC to stable/11 several changes had to made.
  
  admbug:		872, 891
  Reviewed by:	fsu
  Obtained from:	NetBSD (with changes)

Modified:
  stable/11/sys/fs/ext2fs/ext2_vfsops.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/fs/ext2fs/ext2_vfsops.c
==============================================================================
--- stable/11/sys/fs/ext2fs/ext2_vfsops.c	Mon Jan 28 02:00:39 2019	(r343516)
+++ stable/11/sys/fs/ext2fs/ext2_vfsops.c	Mon Jan 28 02:12:48 2019	(r343517)
@@ -369,8 +369,27 @@ compute_sb_data(struct vnode *devvp, struct ext2fs *es
 		    es->e3fs_desc_size);
 		return (EINVAL);
 	}
+	/* Check for block size = 1K|2K|4K */
+	if (es->e2fs_log_bsize > 2) {
+		printf("ext2fs: bad block size: %d\n", es->e2fs_log_bsize);
+		return (EINVAL);
+	}
+	/* Check for group size */
+	if (fs->e2fs_bpg == 0) {
+		printf("ext2fs: zero blocks per group\n");
+		return (EINVAL);
+	}
+	if (fs->e2fs_bpg != fs->e2fs_bsize * 8) {
+		printf("ext2fs: non-standard group size unsupported %d\n",
+		    fs->e2fs_bpg);
+		return (EINVAL);
+	}
 
 	fs->e2fs_ipb = fs->e2fs_bsize / EXT2_INODE_SIZE(fs);
+	if (fs->e2fs_ipg == 0) {
+		printf("ext2fs: zero inodes per group\n");
+		return (EINVAL);
+	}
 	fs->e2fs_itpg = fs->e2fs_ipg / fs->e2fs_ipb;
 	/* s_resuid / s_resgid ? */
 	fs->e2fs_gcount = howmany(es->e2fs_bcount - es->e2fs_first_dblock,

More information about the svn-src-all mailing list