Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Out-of-bounds access (OVERRUN) in filesystems/fsw_ext4.c >> fsw_ext4_readlink #34

Closed
dakanji opened this issue Mar 10, 2021 · 2 comments
Closed

Out-of-bounds access (OVERRUN) in filesystems/fsw_ext4.c >> fsw_ext4_readlink #34

dakanji opened this issue Mar 10, 2021 · 2 comments
Labels
Bug Something Went Wrong Resolved Issue Has Been Resolved Upstream Refer Upstream

Comments

@dakanji
Copy link
Owner

dakanji commented Mar 10, 2021
edited

Memory Corruption from Out-of-Bounds Access

Checking dno->g.size > 4096ULL (implies that dno->g.size may be up to 4096 on the false branch) in:

RefindPlus/filesystems/fsw_ext4.c

Line 726 in c9e64c9

if (dno->g.size > FSW_PATH_MAX)

Assigning: s.len = (int)dno->g.size (The value of s.len may now be up to 4096) in:

RefindPlus/filesystems/fsw_ext4.c

Line 735 in c9e64c9

s.size = s.len = (int)dno->g.size;

Assigning: s.data = dno->raw->i_block.
s.data now points to byte 0 of dno->raw->i_block (which consists of 60 bytes) in:

RefindPlus/filesystems/fsw_ext4.c

Line 736 in c9e64c9

s.data = dno->raw->i_block;

Overrunning buffer pointed to by s.data of 60 bytes by passing it to a function which accesses it at byte offset 4095 using argument s.len (which evaluates to 4096) in:

RefindPlus/filesystems/fsw_ext4.c

Line 737 in c9e64c9

status = fsw_strdup_coerce(link_target, vol->g.host_string_type, &s);

@dakanji dakanji added the Bug Something Went Wrong label Mar 10, 2021
@dakanji dakanji changed the title Out-of-bounds access (OVERRUN) in filesystems/fsw_ext4.c >> fsw_ext4_readlink Out-of-bounds access (OVERRUN) in fsw_ext4.c >> fsw_ext4_readlink Mar 10, 2021
@dakanji dakanji changed the title Out-of-bounds access (OVERRUN) in fsw_ext4.c >> fsw_ext4_readlink Out-of-bounds access (OVERRUN) in filesystems/fsw_ext4.c >> fsw_ext4_readlink Mar 10, 2021
@dakanji dakanji mentioned this issue Mar 10, 2021
Closed
@dakanji dakanji added Upstream Refer Upstream Parked Action Deferred and removed Bug Something Went Wrong Upstream Refer Upstream labels Mar 10, 2021
@joevt
Copy link

joevt commented Mar 13, 2021

I guess there needs to be a check to make sure the symlink size is not greater than 60 bytes when it is inlined.

So after this line:

RefindPlus/filesystems/fsw_ext4.c

Line 732 in 111e798

if (dno->raw->i_blocks_lo - ea_blocks == 0) {

Add this:

    if (dno->g.size > sizeof(dno->raw->i_block))
        return FSW_VOLUME_CORRUPTED;

@dakanji
Copy link
Owner Author

dakanji commented Mar 13, 2021

Makes sense

@dakanji dakanji added Bug Something Went Wrong Upstream Refer Upstream and removed Parked Action Deferred labels Mar 14, 2021
dakanji added a commit that referenced this issue Mar 14, 2021
@dakanji
Limit Gating to Inlined Symlinks
bb519a3 
Amends Fixes for #34 and #36
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 21, 2021
@dakanji dakanji added the Resolved Issue Has Been Resolved label Dec 12, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Bug Something Went Wrong Resolved Issue Has Been Resolved Upstream Refer Upstream
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joevt @dakanji