blob: 9ed77d921f45a70a635acde58a92a422c74a153c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
From 5782f0d47df99dcfc743aa138361336e9a4ac966 Mon Sep 17 00:00:00 2001
From: Gao Xiang <hsiangkao@linux.alibaba.com>
Date: Fri, 2 Jun 2023 13:52:56 +0800
Subject: [PATCH 1/4] erofs-utils: fsck: block insane long paths when
extracting images
Since some crafted EROFS filesystem images could have insane deep
hierarchy (or may form directory loops) which triggers the
PATH_MAX-sized path buffer OR stack overflow.
Actually some crafted images cannot be deemed as real corrupted
images but over-PATH_MAX paths are not something that we'd like to
support for now.
CVE: CVE-2023-33551
Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33551
Reported-by: Chaoming Yang <lometsj@live.com>
Fixes: f44043561491 ("erofs-utils: introduce fsck.erofs")
Fixes: b11f84f593f9 ("erofs-utils: fsck: convert to use erofs_iterate_dir()")
Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X")
Signeo-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Link: https://lore.kernel.org/r/20230602055256.18061-1-hsiangkao@linux.alibaba.com
Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git/patch/?id=27aeef179bf17d5f1d98f827e93d24839a6d4176]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
fsck/main.c | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/fsck/main.c b/fsck/main.c
index 5a2f659..2b6a6dd 100644
--- a/fsck/main.c
+++ b/fsck/main.c
@@ -679,28 +679,35 @@ again:
static int erofsfsck_dirent_iter(struct erofs_dir_context *ctx)
{
int ret;
- size_t prev_pos = fsckcfg.extract_pos;
+ size_t prev_pos, curr_pos;
if (ctx->dot_dotdot)
return 0;
- if (fsckcfg.extract_path) {
- size_t curr_pos = prev_pos;
+ prev_pos = fsckcfg.extract_pos;
+ curr_pos = prev_pos;
+
+ if (prev_pos + ctx->de_namelen >= PATH_MAX) {
+ erofs_err("unable to fsck since the path is too long (%u)",
+ curr_pos + ctx->de_namelen);
+ return -EOPNOTSUPP;
+ }
+ if (fsckcfg.extract_path) {
fsckcfg.extract_path[curr_pos++] = '/';
strncpy(fsckcfg.extract_path + curr_pos, ctx->dname,
ctx->de_namelen);
curr_pos += ctx->de_namelen;
fsckcfg.extract_path[curr_pos] = '\0';
- fsckcfg.extract_pos = curr_pos;
+ } else {
+ curr_pos += ctx->de_namelen;
}
-
+ fsckcfg.extract_pos = curr_pos;
ret = erofsfsck_check_inode(ctx->dir->nid, ctx->de_nid);
- if (fsckcfg.extract_path) {
+ if (fsckcfg.extract_path)
fsckcfg.extract_path[prev_pos] = '\0';
- fsckcfg.extract_pos = prev_pos;
- }
+ fsckcfg.extract_pos = prev_pos;
return ret;
}
--
2.25.1
|
