• Eric Sandeen's avatar
    handle ext3 directory corruption better (CVE-2006-6053) · 04900014
    Eric Sandeen authored
    I've been using Steve Grubb's purely evil "fsfuzzer" tool, at
    http://people.redhat.com/sgrubb/files/fsfuzzer-0.4.tar.gz
    
    Basically it makes a filesystem, splats some random bits over it, then
    tries to mount it and do some simple filesystem actions.
    
    At best, the filesystem catches the corruption gracefully.  At worst,
    things spin out of control.
    
    As you might guess, we found a couple places in ext3 where things spin out
    of control :)
    
    First, we had a corrupted directory that was never checked for
    consistency...  it was corrupt, and pointed to another bad "entry" of
    length 0.  The for() loop looped forever, since the length of
    ext3_next_entry(de) was 0, and we kept looking at the same pointer over and
    over and over and over...  I modeled this check and subsequent action on
    what is done for other directory types in ext3_readdir...
    
    (adding this check adds some computational expense; I am testing a followup
    patch to reduce the number of times we check and re-check these directory
    entries, in all cases.  Thanks for the idea, Andreas).
    
    Next we had a root directory inode which had a corrupted size, claimed to
    be > 200M on a 4M filesystem.  There was only really 1 block in the
    directory, but because the size was so large, readdir kept coming back for
    more, spewing thousands of printk's along the way.
    
    Per Andreas' suggestion, if we're in this read error condition and we're
    trying to read an offset which is greater than i_blocks worth of bytes,
    stop trying, and break out of the loop.
    
    With these two changes fsfuzz test survives quite well on ext3.
    Signed-off-by: default avatarEric Sandeen <sandeen@redhat.com>
    Signed-off-by: default avatarAdrian Bunk <bunk@stusta.de>
    04900014
dir.c 13.3 KB