From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-lf1-f53.google.com (mail-lf1-f53.google.com [209.85.167.53]) by mx.groups.io with SMTP id smtpd.web11.45003.1670856424392905373 for ; Mon, 12 Dec 2022 06:47:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=dn1IG2tK; spf=pass (domain: gmail.com, ip: 209.85.167.53, mailfrom: savvamtr@gmail.com) Received: by mail-lf1-f53.google.com with SMTP id p36so18957318lfa.12 for ; Mon, 12 Dec 2022 06:47:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZFqgy5/C3sdx9maaeJtRHyEH5iD4KqoD3qbNmEsTeDU=; b=dn1IG2tK+34XwYSH1AsL2oPurBEmtpAH8esLtIM0eb2p4X5HoiKVwSnhGcdmKQcLl5 CSD4DLh8c6Eq/e2t8sYKVrOJr9nY/n0DvJTmWAvCt1+AkVxLsw/aatFmBkvBITlLDcVe 2pJYSQPa6uKBpqeqytvB24mjCEcWzn4U3HTyb9HSIYGE7gr+Hgimyx1gAEfG6C1TvTrV 7djjBCJqaCANjQxtCf/mrXiZa9ZO7lqHR5obj9KrRobLkU4VhF3ZcPX8QTzU75N4NqJh YDWqfpoFvYQMxZ/pSf07Grb5nCq4vP9GXrd7O6dUTEEjYWXZEoz999/rNvPtaDnTqrb4 XIXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZFqgy5/C3sdx9maaeJtRHyEH5iD4KqoD3qbNmEsTeDU=; b=WH9ZX9ZHj9P3I1mC4NOuMPs8kxHo6STCKnNLSM7AJ33S+i9lECGItF8aaNEhayLeW/ 2J3f7r2qkkP7fcOvSojhvvox174j7EVO3hBWDS8QRO+RwLHLtYgYPLdRO966adjQsKw/ fgWlpTFX2ON9NEue0eGrQTTsO83dCWKxOQdI/GR11KIJiT5v7sDLOfXm2RfXo7Z19Xm0 T9PyymE9SaDiRjn169ChxiMopiuABHJ9rlfazVvkjurH5TTxUyN9XMAwGjBSpZ6pAnmE Y/MafEdxdU2ENkwirVpQQIr6/6ldWrJI2L7T1GGZQALDANYjIwM8nu+8DBzJhaoCIHPl aHdw== X-Gm-Message-State: ANoB5pnwIncF4L0x2J3dpR9PI1DXRQYoZxxh/VmDygB2B1OMI/SHygrf tMi6psR6eeTs96rK6uMLFekEJ4ABL9aTmAWa X-Google-Smtp-Source: AA0mqf5ra5gAQLyRTXs5HX42VD9Mc0W+kes90AqqAS/cNOWANBeL1wL9mQ/B6lPXrBjmszoqsIFYaQ== X-Received: by 2002:a05:6512:2293:b0:4b5:5dea:ec68 with SMTP id f19-20020a056512229300b004b55deaec68mr5656846lfu.44.1670856424845; Mon, 12 Dec 2022 06:47:04 -0800 (PST) Return-Path: Received: from localhost.localdomain ([77.221.215.144]) by smtp.gmail.com with ESMTPSA id t4-20020a056512030400b0049c29292250sm1643313lfp.149.2022.12.12.06.47.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Dec 2022 06:47:04 -0800 (PST) From: "Savva Mitrofanov" To: devel@edk2.groups.io Cc: =?UTF-8?q?Marvin=20H=C3=A4user?= , Pedro Falcato , Vitaly Cheptsov Subject: [edk2-platforms][PATCH v2 06/11] Ext4Pkg: Add inode number validity check Date: Mon, 12 Dec 2022 20:46:49 +0600 Message-Id: <20221212144654.2650-7-savvamtr@gmail.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221212144654.2650-1-savvamtr@gmail.com> References: <20221212144654.2650-1-savvamtr@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable We need to validate inode number to prevent possible null-pointer dereference of directory parent in Ext4OpenDirent. Also checks that inode number valid across opened partition before we read it in Ext4ReadInode. Cc: Marvin H=C3=A4user Cc: Pedro Falcato Cc: Vitaly Cheptsov Fixes: e55f0527dde48a5f139c1b8f35acc4e6b59dd794 Signed-off-by: Savva Mitrofanov --- Features/Ext4Pkg/Ext4Dxe/Ext4Disk.h | 15 +++++++++--- Features/Ext4Pkg/Ext4Dxe/Ext4Dxe.h | 25 ++++++++++++++++++++ Features/Ext4Pkg/Ext4Dxe/BlockGroup.c | 5 ++++ Features/Ext4Pkg/Ext4Dxe/Directory.c | 10 ++++++++ 4 files changed, 52 insertions(+), 3 deletions(-) diff --git a/Features/Ext4Pkg/Ext4Dxe/Ext4Disk.h b/Features/Ext4Pkg/Ext4Dxe= /Ext4Disk.h index 1285644dcb25..6b56ce6813fc 100644 --- a/Features/Ext4Pkg/Ext4Dxe/Ext4Disk.h +++ b/Features/Ext4Pkg/Ext4Dxe/Ext4Disk.h @@ -397,7 +397,7 @@ typedef struct _Ext4Inode { UINT32 i_projid;=0D } EXT4_INODE;=0D =0D -#define EXT4_NAME_MAX 255=0D +#define EXT4_NAME_MAX 255=0D =0D typedef struct {=0D UINT32 inode;=0D @@ -469,8 +469,17 @@ typedef UINT64 EXT4_BLOCK_NR; typedef UINT32 EXT2_BLOCK_NR;=0D typedef UINT32 EXT4_INO_NR;=0D =0D -// 2 is always the root inode number in ext4=0D -#define EXT4_ROOT_INODE_NR 2=0D +/* Special inode numbers */=0D +#define EXT4_ROOT_INODE_NR 2=0D +#define EXT4_USR_QUOTA_INODE_NR 3=0D +#define EXT4_GRP_QUOTA_INODE_NR 4=0D +#define EXT4_BOOT_LOADER_INODE_NR 5=0D +#define EXT4_UNDEL_DIR_INODE_NR 6=0D +#define EXT4_RESIZE_INODE_NR 7=0D +#define EXT4_JOURNAL_INODE_NR 8=0D +=0D +/* First non-reserved inode for old ext4 filesystems */=0D +#define EXT4_GOOD_OLD_FIRST_INODE_NR 11=0D =0D #define EXT4_BLOCK_FILE_HOLE 0=0D =0D diff --git a/Features/Ext4Pkg/Ext4Dxe/Ext4Dxe.h b/Features/Ext4Pkg/Ext4Dxe/= Ext4Dxe.h index 81ba568c5947..beceb9d60dcb 100644 --- a/Features/Ext4Pkg/Ext4Dxe/Ext4Dxe.h +++ b/Features/Ext4Pkg/Ext4Dxe/Ext4Dxe.h @@ -287,6 +287,31 @@ Ext4GetBlockGroupDesc ( IN UINT32 BlockGroup=0D );=0D =0D +/**=0D + Retrieves the first usable non-reserved inode number from the superbloc= k=0D + of the opened partition.=0D +=0D + @param[in] Partition Pointer to the opened ext4 partition.=0D +=0D + @return The first usable inode number (non-reserved).=0D +**/=0D +#define EXT4_FIRST_INODE_NR(Partition) = \=0D + ((Partition->SuperBlock.s_rev_level =3D=3D EXT4_GOOD_OLD_REV) ? = \=0D + EXT4_GOOD_OLD_FIRST_INODE_NR : = \=0D + Partition->SuperBlock.s_first_ino)=0D +=0D +/**=0D + Checks inode number validity across superblock of the opened partition.= =0D +=0D + @param[in] Partition Pointer to the opened ext4 partition.=0D +=0D + @return TRUE if inode number is valid.=0D +**/=0D +#define EXT4_IS_VALID_INODE_NR(Partition, InodeNum) = \=0D + (InodeNum =3D=3D EXT4_ROOT_INODE_NR || = \=0D + (InodeNum >=3D EXT4_FIRST_INODE_NR(Partition) && = \=0D + InodeNum <=3D Partition->SuperBlock.s_inodes_count))=0D +=0D /**=0D Reads an inode from disk.=0D =0D diff --git a/Features/Ext4Pkg/Ext4Dxe/BlockGroup.c b/Features/Ext4Pkg/Ext4D= xe/BlockGroup.c index cba96cd95afc..f34cdc5dbad7 100644 --- a/Features/Ext4Pkg/Ext4Dxe/BlockGroup.c +++ b/Features/Ext4Pkg/Ext4Dxe/BlockGroup.c @@ -50,6 +50,11 @@ Ext4ReadInode ( EXT4_BLOCK_NR InodeTableStart;=0D EFI_STATUS Status;=0D =0D + if (!EXT4_IS_VALID_INODE_NR (Partition, InodeNum)) {=0D + DEBUG ((DEBUG_ERROR, "[ext4] Error reading inode: inode number %lu isn= 't valid\n", InodeNum));=0D + return EFI_VOLUME_CORRUPTED;=0D + }=0D +=0D BlockGroupNumber =3D (UINT32)DivU64x64Remainder (=0D InodeNum - 1,=0D Partition->SuperBlock.s_inodes_per_group,=0D diff --git a/Features/Ext4Pkg/Ext4Dxe/Directory.c b/Features/Ext4Pkg/Ext4Dx= e/Directory.c index ffc0e8043076..ff476c8641e8 100644 --- a/Features/Ext4Pkg/Ext4Dxe/Directory.c +++ b/Features/Ext4Pkg/Ext4Dxe/Directory.c @@ -163,6 +163,10 @@ Ext4RetrieveDirent ( if (Entry->inode =3D=3D 0) {=0D BlockOffset +=3D Entry->rec_len;=0D continue;=0D + } else if (!EXT4_IS_VALID_INODE_NR (Partition, Entry->inode)) {=0D + DEBUG ((DEBUG_ERROR, "[ext4] Ext4RetrieveDirent directory entry in= ode number %u isn't valid\n", Entry->inode));=0D + Status =3D EFI_VOLUME_CORRUPTED;=0D + goto Out;=0D }=0D =0D Status =3D Ext4GetUcs2DirentName (Entry, DirentUcs2Name);=0D @@ -498,6 +502,12 @@ Ext4ReadDir ( // When inode =3D 0, it's unused.=0D ShouldSkip =3D Entry.inode =3D=3D 0 || IsDotOrDotDot;=0D =0D + if ((Entry.inode !=3D 0) && !EXT4_IS_VALID_INODE_NR (Partition, Entry.= inode)) {=0D + DEBUG ((DEBUG_ERROR, "[ext4] Ext4ReadDir directory entry inode numbe= r %u isn't valid\n", Entry.inode));=0D + Status =3D EFI_VOLUME_CORRUPTED;=0D + goto Out;=0D + }=0D +=0D if (ShouldSkip) {=0D Offset +=3D Entry.rec_len;=0D continue;=0D --=20 2.38.1