Array out of bounds caused by eblock->nr_files
chennbnbnb opened this issue · comments
function simplefs_create() miss check whether eblock->nr_files bigger than SIMPLEFS_MAX_SUBFILES
so when eblock->nr_files is large, eblock->extents[ei].ee_start will cause array out of bounds problem
static int simplefs_create(struct inode* dir,
struct dentry* dentry,
umode_t mode,
bool excl)
{
ci_dir = SIMPLEFS_INODE(dir);
sb = dir->i_sb;
bh = sb_bread(sb, ci_dir->ei_block);
eblock = (struct simplefs_file_ei_block*)bh->b_data;
if (eblock->nr_files == SIMPLEFS_MAX_SUBFILES) { //nr_files may be very large
ret = -EMLINK;
goto end;
}
...;
ei = eblock->nr_files / SIMPLEFS_FILES_PER_EXT; //ei may be very large
bi = eblock->nr_files % SIMPLEFS_FILES_PER_EXT / SIMPLEFS_FILES_PER_BLOCK;
fi = eblock->nr_files % SIMPLEFS_FILES_PER_BLOCK;
if (!eblock->extents[ei].ee_start) { //out of bound read
...;
}
...;
}
To get a POC, change function write_data_blocks() in mkfs.c like that,
nr_files of root dir will be very large
static int write_data_blocks(int fd, struct superblock* sb)
{
uint32_t* tmp = calloc(1, SIMPLEFS_BLOCK_SIZE);
tmp[0] = 0xdeadbeef; //nr_files = 0xdeadbeef
write(fd, tmp, SIMPLEFS_BLOCK_SIZE);
return 0;
}
mount this disk img created by mkfs.simplefs and then try to create file in root dir, you will get a crash
