[edk2-devel] [edk2-platforms][PATCH v2 06/11] Ext4Pkg: Add inode number validity check

Savva Mitrofanov Mon, 12 Dec 2022 06:47:09 -0800

We need to validate inode number to prevent possible null-pointer
dereference of directory parent in Ext4OpenDirent. Also checks that
inode number valid across opened partition before we read it in
Ext4ReadInode.


Cc: Marvin Häuser <mhaeu...@posteo.de>
Cc: Pedro Falcato <pedro.falc...@gmail.com>
Cc: Vitaly Cheptsov <vit9...@protonmail.com>
Fixes: e55f0527dde48a5f139c1b8f35acc4e6b59dd794
Signed-off-by: Savva Mitrofanov <savva...@gmail.com>
---
 Features/Ext4Pkg/Ext4Dxe/Ext4Disk.h   | 15 +++++++++---
 Features/Ext4Pkg/Ext4Dxe/Ext4Dxe.h    | 25 ++++++++++++++++++++
 Features/Ext4Pkg/Ext4Dxe/BlockGroup.c |  5 ++++
 Features/Ext4Pkg/Ext4Dxe/Directory.c  | 10 ++++++++
 4 files changed, 52 insertions(+), 3 deletions(-)

diff --git a/Features/Ext4Pkg/Ext4Dxe/Ext4Disk.h 
b/Features/Ext4Pkg/Ext4Dxe/Ext4Disk.h
index 1285644dcb25..6b56ce6813fc 100644
--- a/Features/Ext4Pkg/Ext4Dxe/Ext4Disk.h
+++ b/Features/Ext4Pkg/Ext4Dxe/Ext4Disk.h
@@ -397,7 +397,7 @@ typedef struct _Ext4Inode {
   UINT32       i_projid;

 } EXT4_INODE;

 

-#define EXT4_NAME_MAX 255

+#define EXT4_NAME_MAX  255

 

 typedef struct {

   UINT32    inode;

@@ -469,8 +469,17 @@ typedef UINT64  EXT4_BLOCK_NR;
 typedef UINT32  EXT2_BLOCK_NR;

 typedef UINT32  EXT4_INO_NR;

 

-// 2 is always the root inode number in ext4

-#define EXT4_ROOT_INODE_NR  2

+/* Special inode numbers */

+#define EXT4_ROOT_INODE_NR         2

+#define EXT4_USR_QUOTA_INODE_NR    3

+#define EXT4_GRP_QUOTA_INODE_NR    4

+#define EXT4_BOOT_LOADER_INODE_NR  5

+#define EXT4_UNDEL_DIR_INODE_NR    6

+#define EXT4_RESIZE_INODE_NR       7

+#define EXT4_JOURNAL_INODE_NR      8

+

+/* First non-reserved inode for old ext4 filesystems */

+#define EXT4_GOOD_OLD_FIRST_INODE_NR  11

 

 #define EXT4_BLOCK_FILE_HOLE  0

 

diff --git a/Features/Ext4Pkg/Ext4Dxe/Ext4Dxe.h 
b/Features/Ext4Pkg/Ext4Dxe/Ext4Dxe.h
index 81ba568c5947..beceb9d60dcb 100644
--- a/Features/Ext4Pkg/Ext4Dxe/Ext4Dxe.h
+++ b/Features/Ext4Pkg/Ext4Dxe/Ext4Dxe.h
@@ -287,6 +287,31 @@ Ext4GetBlockGroupDesc (
   IN UINT32          BlockGroup

   );

 

+/**

+   Retrieves the first usable non-reserved inode number from the superblock

+   of the opened partition.

+

+   @param[in]  Partition      Pointer to the opened ext4 partition.

+

+   @return The first usable inode number (non-reserved).

+**/

+#define EXT4_FIRST_INODE_NR(Partition)                                         
\

+  ((Partition->SuperBlock.s_rev_level == EXT4_GOOD_OLD_REV) ?                  
\

+         EXT4_GOOD_OLD_FIRST_INODE_NR :                                        
\

+         Partition->SuperBlock.s_first_ino)

+

+/**

+   Checks inode number validity across superblock of the opened partition.

+

+   @param[in]  Partition      Pointer to the opened ext4 partition.

+

+   @return TRUE if inode number is valid.

+**/

+#define EXT4_IS_VALID_INODE_NR(Partition, InodeNum)                            
\

+  (InodeNum == EXT4_ROOT_INODE_NR ||                                           
\

+        (InodeNum >= EXT4_FIRST_INODE_NR(Partition) &&                         
\

+         InodeNum <= Partition->SuperBlock.s_inodes_count))

+

 /**

    Reads an inode from disk.

 

diff --git a/Features/Ext4Pkg/Ext4Dxe/BlockGroup.c 
b/Features/Ext4Pkg/Ext4Dxe/BlockGroup.c
index cba96cd95afc..f34cdc5dbad7 100644
--- a/Features/Ext4Pkg/Ext4Dxe/BlockGroup.c
+++ b/Features/Ext4Pkg/Ext4Dxe/BlockGroup.c
@@ -50,6 +50,11 @@ Ext4ReadInode (
   EXT4_BLOCK_NR          InodeTableStart;

   EFI_STATUS             Status;

 

+  if (!EXT4_IS_VALID_INODE_NR (Partition, InodeNum)) {

+    DEBUG ((DEBUG_ERROR, "[ext4] Error reading inode: inode number %lu isn't 
valid\n", InodeNum));

+    return EFI_VOLUME_CORRUPTED;

+  }

+

   BlockGroupNumber = (UINT32)DivU64x64Remainder (

                                InodeNum - 1,

                                Partition->SuperBlock.s_inodes_per_group,

diff --git a/Features/Ext4Pkg/Ext4Dxe/Directory.c 
b/Features/Ext4Pkg/Ext4Dxe/Directory.c
index ffc0e8043076..ff476c8641e8 100644
--- a/Features/Ext4Pkg/Ext4Dxe/Directory.c
+++ b/Features/Ext4Pkg/Ext4Dxe/Directory.c
@@ -163,6 +163,10 @@ Ext4RetrieveDirent (
       if (Entry->inode == 0) {

         BlockOffset += Entry->rec_len;

         continue;

+      } else if (!EXT4_IS_VALID_INODE_NR (Partition, Entry->inode)) {

+        DEBUG ((DEBUG_ERROR, "[ext4] Ext4RetrieveDirent directory entry inode 
number %u isn't valid\n", Entry->inode));

+        Status = EFI_VOLUME_CORRUPTED;

+        goto Out;

       }

 

       Status = Ext4GetUcs2DirentName (Entry, DirentUcs2Name);

@@ -498,6 +502,12 @@ Ext4ReadDir (
     // When inode = 0, it's unused.

     ShouldSkip = Entry.inode == 0 || IsDotOrDotDot;

 

+    if ((Entry.inode != 0) && !EXT4_IS_VALID_INODE_NR (Partition, 
Entry.inode)) {

+      DEBUG ((DEBUG_ERROR, "[ext4] Ext4ReadDir directory entry inode number %u 
isn't valid\n", Entry.inode));

+      Status = EFI_VOLUME_CORRUPTED;

+      goto Out;

+    }

+

     if (ShouldSkip) {

       Offset += Entry.rec_len;

       continue;

-- 
2.38.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#97266): https://edk2.groups.io/g/devel/message/97266
Mute This Topic: https://groups.io/mt/95622334/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [edk2-platforms][PATCH v2 06/11] Ext4Pkg: Add inode number validity check

Reply via email to