e2fsck: abort if there is a corrupted directory block when rehashing

In e2fsck pass 3a, when we are rehashing directories, at least in theory, all of the directories should have had corruptions with respect to directory entry structure fixed. However, it's possible (for example, if the user declined a fix) that we can reach this stage of processing with a corrupted directory entries. So check for that case and don't try to process a corrupted directory block so we don't run into trouble in mutate_name() if there is a zero-length file name. Addresses: TALOS-2019-0973 Addresses: CVE-2019-5188 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
tytso · Dec 20, 2019 · 8dd73c1 · 8dd73c1
1 parent c4e7324
commit 8dd73c1
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
@@ -160,6 +160,10 @@ static int fill_dir_block(ext2_filsys fs,
 		dir_offset += rec_len;
 		if (dirent->inode == 0)
 			continue;
+		if ((name_len) == 0) {
+			fd->err = EXT2_ET_DIR_CORRUPTED;
+			return BLOCK_ABORT;
+		}
 		if (!fd->compress && (name_len == 1) &&
 		    (dirent->name[0] == '.'))
 			continue;
@@ -401,6 +405,11 @@ static int duplicate_search_and_fix(e2fsck_t ctx, ext2_filsys fs,
 			continue;
 		}
 		new_len = ext2fs_dirent_name_len(ent->dir);
+		if (new_len == 0) {
+			 /* should never happen */
+			ext2fs_unmark_valid(fs);
+			continue;
+		}
 		memcpy(new_name, ent->dir->name, new_len);
 		mutate_name(new_name, &new_len);
 		for (j=0; j < fd->num_array; j++) {