projects / platform / upstream / erofs-utils.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2145dff)
erofs-utils: fsck: block insane long paths when extracting images
authorGao Xiang <hsiangkao@linux.alibaba.com>
Fri, 2 Jun 2023 05:52:56 +0000 (13:52 +0800)
committerGao Xiang <hsiangkao@linux.alibaba.com>
Fri, 2 Jun 2023 06:00:16 +0000 (14:00 +0800)
Since some crafted EROFS filesystem images could have insane deep
hierarchy (or may form directory loops) which triggers the
PATH_MAX-sized path buffer OR stack overflow.

Actually some crafted images cannot be deemed as real corrupted
images but over-PATH_MAX paths are not something that we'd like to
support for now.

CVE: CVE-2023-33551
Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33551
Reported-by: Chaoming Yang <lometsj@live.com>
Fixes: f44043561491 ("erofs-utils: introduce fsck.erofs")
Fixes: b11f84f593f9 ("erofs-utils: fsck: convert to use erofs_iterate_dir()")
Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X")
Signeo-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Link: https://lore.kernel.org/r/20230602055256.18061-1-hsiangkao@linux.alibaba.com
fsck/main.c patch | blob | history

diff --git a/fsck/main.c b/fsck/main.c
index 52fb7a0129b8614c679ba4581cf8a941b94eb6f3..3d1682c6cdd553dbb6bdb91dc5f8f144213b7230 100644 (file)
--- a/fsck/main.c
+++ b/fsck/main.c
@@ -680,28 +680,35 @@ again:
 static int erofsfsck_dirent_iter(struct erofs_dir_context *ctx)
 {
        int ret;
-       size_t prev_pos = fsckcfg.extract_pos;
+       size_t prev_pos, curr_pos;
 
        if (ctx->dot_dotdot)
                return 0;
 
-       if (fsckcfg.extract_path) {
-               size_t curr_pos = prev_pos;
+       prev_pos = fsckcfg.extract_pos;
+       curr_pos = prev_pos;
+
+       if (prev_pos + ctx->de_namelen >= PATH_MAX) {
+               erofs_err("unable to fsck since the path is too long (%u)",
+                         curr_pos + ctx->de_namelen);
+               return -EOPNOTSUPP;
+       }
 
+       if (fsckcfg.extract_path) {
                fsckcfg.extract_path[curr_pos++] = '/';
                strncpy(fsckcfg.extract_path + curr_pos, ctx->dname,
                        ctx->de_namelen);
                curr_pos += ctx->de_namelen;
                fsckcfg.extract_path[curr_pos] = '\0';
-               fsckcfg.extract_pos = curr_pos;
+       } else {
+               curr_pos += ctx->de_namelen;
        }
-
+       fsckcfg.extract_pos = curr_pos;
        ret = erofsfsck_check_inode(ctx->dir->nid, ctx->de_nid);
 
-       if (fsckcfg.extract_path) {
+       if (fsckcfg.extract_path)
                fsckcfg.extract_path[prev_pos] = '\0';
-               fsckcfg.extract_pos = prev_pos;
-       }
+       fsckcfg.extract_pos = prev_pos;
        return ret;
 }
 
Domain: System / Kernel