Your Name
81 lines
2.4 KiB
Diff
81 lines
2.4 KiB
Diff
From 6cebfbb79b1d5d8feb48801e1008eea5bfa8b599 Mon Sep 17 00:00:00 2001
|
|
From: Gao Xiang <hsiangkao@linux.alibaba.com>
|
|
Date: Fri, 2 Jun 2023 13:52:56 +0800
|
|
Subject: [PATCH 2/2] erofs-utils: fsck: block insane long paths when
|
|
extracting images
|
|
|
|
Since some crafted EROFS filesystem images could have insane deep
|
|
hierarchy (or may form directory loops) which triggers the
|
|
PATH_MAX-sized path buffer OR stack overflow.
|
|
|
|
Actually some crafted images cannot be deemed as real corrupted
|
|
images but over-PATH_MAX paths are not something that we'd like to
|
|
support for now.
|
|
|
|
CVE: CVE-2023-33551
|
|
Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33551
|
|
Reported-by: Chaoming Yang <lometsj@live.com>
|
|
Fixes: f44043561491 ("erofs-utils: introduce fsck.erofs")
|
|
Fixes: b11f84f593f9 ("erofs-utils: fsck: convert to use erofs_iterate_dir()")
|
|
Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X")
|
|
Signeo-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
|
|
Link: https://lore.kernel.org/r/20230602055256.18061-1-hsiangkao@linux.alibaba.com
|
|
|
|
Upstream-Status: Backport
|
|
Signed-off-by: Ross Burton <ross.burton@arm.com>
|
|
---
|
|
fsck/main.c | 23 +++++++++++++++--------
|
|
1 file changed, 15 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/fsck/main.c b/fsck/main.c
|
|
index 6689ad8..28d95ec 100644
|
|
--- a/fsck/main.c
|
|
+++ b/fsck/main.c
|
|
@@ -680,28 +680,35 @@ again:
|
|
static int erofsfsck_dirent_iter(struct erofs_dir_context *ctx)
|
|
{
|
|
int ret;
|
|
- size_t prev_pos = fsckcfg.extract_pos;
|
|
+ size_t prev_pos, curr_pos;
|
|
|
|
if (ctx->dot_dotdot)
|
|
return 0;
|
|
|
|
- if (fsckcfg.extract_path) {
|
|
- size_t curr_pos = prev_pos;
|
|
+ prev_pos = fsckcfg.extract_pos;
|
|
+ curr_pos = prev_pos;
|
|
+
|
|
+ if (prev_pos + ctx->de_namelen >= PATH_MAX) {
|
|
+ erofs_err("unable to fsck since the path is too long (%u)",
|
|
+ curr_pos + ctx->de_namelen);
|
|
+ return -EOPNOTSUPP;
|
|
+ }
|
|
|
|
+ if (fsckcfg.extract_path) {
|
|
fsckcfg.extract_path[curr_pos++] = '/';
|
|
strncpy(fsckcfg.extract_path + curr_pos, ctx->dname,
|
|
ctx->de_namelen);
|
|
curr_pos += ctx->de_namelen;
|
|
fsckcfg.extract_path[curr_pos] = '\0';
|
|
- fsckcfg.extract_pos = curr_pos;
|
|
+ } else {
|
|
+ curr_pos += ctx->de_namelen;
|
|
}
|
|
-
|
|
+ fsckcfg.extract_pos = curr_pos;
|
|
ret = erofsfsck_check_inode(ctx->dir->nid, ctx->de_nid);
|
|
|
|
- if (fsckcfg.extract_path) {
|
|
+ if (fsckcfg.extract_path)
|
|
fsckcfg.extract_path[prev_pos] = '\0';
|
|
- fsckcfg.extract_pos = prev_pos;
|
|
- }
|
|
+ fsckcfg.extract_pos = prev_pos;
|
|
return ret;
|
|
}
|
|
|
|
--
|
|
2.34.1
|
|
|