https://git.kernel.org/xiang/erofs-utils/c/27aeef179bf17d5f1d98f827e93d24839a6d4176 From: Gao Xiang Date: Fri, 2 Jun 2023 13:52:56 +0800 Subject: erofs-utils: fsck: block insane long paths when extracting images Since some crafted EROFS filesystem images could have insane deep hierarchy (or may form directory loops) which triggers the PATH_MAX-sized path buffer OR stack overflow. Actually some crafted images cannot be deemed as real corrupted images but over-PATH_MAX paths are not something that we'd like to support for now. CVE: CVE-2023-33551 Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33551 Reported-by: Chaoming Yang Fixes: f44043561491 ("erofs-utils: introduce fsck.erofs") Fixes: b11f84f593f9 ("erofs-utils: fsck: convert to use erofs_iterate_dir()") Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X") Signeo-off-by: Gao Xiang Link: https://lore.kernel.org/r/20230602055256.18061-1-hsiangkao@linux.alibaba.com --- a/fsck/main.c +++ b/fsck/main.c @@ -680,28 +680,35 @@ again: static int erofsfsck_dirent_iter(struct erofs_dir_context *ctx) { int ret; - size_t prev_pos = fsckcfg.extract_pos; + size_t prev_pos, curr_pos; if (ctx->dot_dotdot) return 0; - if (fsckcfg.extract_path) { - size_t curr_pos = prev_pos; + prev_pos = fsckcfg.extract_pos; + curr_pos = prev_pos; + + if (prev_pos + ctx->de_namelen >= PATH_MAX) { + erofs_err("unable to fsck since the path is too long (%u)", + curr_pos + ctx->de_namelen); + return -EOPNOTSUPP; + } + if (fsckcfg.extract_path) { fsckcfg.extract_path[curr_pos++] = '/'; strncpy(fsckcfg.extract_path + curr_pos, ctx->dname, ctx->de_namelen); curr_pos += ctx->de_namelen; fsckcfg.extract_path[curr_pos] = '\0'; - fsckcfg.extract_pos = curr_pos; + } else { + curr_pos += ctx->de_namelen; } - + fsckcfg.extract_pos = curr_pos; ret = erofsfsck_check_inode(ctx->dir->nid, ctx->de_nid); - if (fsckcfg.extract_path) { + if (fsckcfg.extract_path) fsckcfg.extract_path[prev_pos] = '\0'; - fsckcfg.extract_pos = prev_pos; - } + fsckcfg.extract_pos = prev_pos; return ret; } -- cgit