From nobody Mon Feb  9 23:38:52 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+79666+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+79666+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=gmail.com
ARC-Seal: i=1; a=rsa-sha256; t=1629557304; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ftDP1Zh1Qx6MLKpbp2CcSk9qA7WUtEhAtkR3N2KiVF7VVdyTSpQ6j3yU3liTnHRgYYIzkE/aKYBlYCoiAubFo5pftXmtpqEH9/U6vrEAdm0ebeYAxuP8fjG5GRRfXkHTglrjBJPaow4noYujZQx8K1QSkDppnGpiMyy+y9h7wwQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1629557304;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=RNSBJD+fpDeEubaHcVruVksujePv8uWtLWBnuch5tF0=;
	b=Pc64bnVNqVA6QTZzrcHEstcCnz7n4NZzEm93Ev+ccMx9ppfdwp1HLXW3cv2UL+os+pez0wmr9SrP7AybSTX7DwhcQr04wKrNP9mesJ8FVqCR25r5MerTuEDa7nRkrVLG4Qio1o+uhPzsqHxkWqqeTkxD3awmYuUMaU6+cFADJSA=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+79666+1787277+3901457@groups.io;
	dmarc=fail header.from=<pedro.falcato@gmail.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1629557304689603.7467115444781;
 Sat, 21 Aug 2021 07:48:24 -0700 (PDT)
Return-Path: <bounce+27952+79666+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id lce5YY1788612x3y5YgTs3GJ;
 Sat, 21 Aug 2021 07:48:24 -0700
X-Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com
 [209.85.128.54])
 by mx.groups.io with SMTP id smtpd.web09.11633.1629557303527170107
 for <devel@edk2.groups.io>;
 Sat, 21 Aug 2021 07:48:23 -0700
X-Received: by mail-wm1-f54.google.com with SMTP id f10so7639148wml.2
        for <devel@edk2.groups.io>; Sat, 21 Aug 2021 07:48:23 -0700 (PDT)
X-Gm-Message-State: 7glV3vkOE4tZaacPqaDTlRgXx1787277AA=
X-Google-Smtp-Source: 
 ABdhPJyx7L1J5udP3fOV4djgAKm6HQ1m00lFvpzjxhiEgm3T+Ia3COjZ/e50v9Mz/l+dZuaJWAGOTw==
X-Received: by 2002:a7b:c756:: with SMTP id w22mr8646139wmk.169.1629557301950;
        Sat, 21 Aug 2021 07:48:21 -0700 (PDT)
X-Received: from PC-PEDRO.lan (bl8-253-151.dsl.telepac.pt. [85.241.253.151])
        by smtp.gmail.com with ESMTPSA id
 j17sm9118036wrt.69.2021.08.21.07.48.21
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 21 Aug 2021 07:48:21 -0700 (PDT)
From: "Pedro Falcato" <pedro.falcato@gmail.com>
To: devel@edk2.groups.io
Cc: Pedro Falcato <pedro.falcato@gmail.com>,
	Leif Lindholm <leif@nuviainc.com>,
	Michael D Kinney <michael.d.kinney@intel.com>,
	Bret Barkelew <Bret.Barkelew@microsoft.com>
Subject: [edk2-devel] [edk2-platforms PATCH v2 5/5] Ext4Pkg: Sanity check more
 EXT4_DIR_ENTRY values.
Date: Sat, 21 Aug 2021 15:47:10 +0100
Message-Id: <20210821144711.39546-6-pedro.falcato@gmail.com>
In-Reply-To: <20210821144711.39546-1-pedro.falcato@gmail.com>
References: <20210821144711.39546-1-pedro.falcato@gmail.com>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,pedro.falcato@gmail.com
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1629557304;
 bh=uOrupqxXTqpB4r4Txk6gc3fyyiRHx4bPwZqYjsMwASQ=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=E/mj5bbP6KUmT/dW43iSq4XNCo+YfSMjoPO9sTggdkw0jX+zgGrx57EQd3cVBVISFSh
 NoO+EDUyeh/oWTBWdKrdiBEUlWlLS6TC5xDGKirIetbFeybACE9MMIHIxAZfHct8XKT7a
 AND3KDlZmTDPtJ9O43KTssvf2tgJEg4hpT8=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1629557305287100017
Content-Type: text/plain; charset="utf-8"

This should close up some possible exploits using crafted
filesystem images.

Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>

Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com>
---
 Features/Ext4Pkg/Ext4Dxe/Directory.c | 90 ++++++++++++++++------------
 1 file changed, 51 insertions(+), 39 deletions(-)

diff --git a/Features/Ext4Pkg/Ext4Dxe/Directory.c b/Features/Ext4Pkg/Ext4Dx=
e/Directory.c
index 7d1b2dcfe524..102c82f05da0 100644
--- a/Features/Ext4Pkg/Ext4Dxe/Directory.c
+++ b/Features/Ext4Pkg/Ext4Dxe/Directory.c
@@ -50,6 +50,37 @@ Ext4GetUcs2DirentName (
   return Status;
 }
=20
+/**
+   Validates a directory entry.
+
+   @param[in]      Dirent      Pointer to the directory entry.
+
+   @retval TRUE          Valid directory entry.
+           FALSE         Invalid directory entry.
+**/
+STATIC
+BOOLEAN
+Ext4ValidDirent (
+  IN CONST EXT4_DIR_ENTRY  *Dirent
+  )
+{
+  UINTN  RequiredSize;
+
+  RequiredSize =3D Dirent->name_len + EXT4_MIN_DIR_ENTRY_LEN;
+
+  if (Dirent->rec_len < RequiredSize) {
+    DEBUG ((DEBUG_ERROR, "[ext4] dirent size %lu too small (compared to %l=
u)\n", Dirent->rec_len, RequiredSize));
+    return FALSE;
+  }
+
+  // Dirent sizes need to be 4 byte aligned
+  if (Dirent->rec_len % 4) {
+    return FALSE;
+  }
+
+  return TRUE;
+}
+
 /**
    Retrieves a directory entry.
=20
@@ -75,11 +106,11 @@ Ext4RetrieveDirent (
   UINT64          DirInoSize;
   UINT32          BlockRemainder;
   UINTN           Length;
-  CHAR8           *BufPtr;
   EXT4_DIR_ENTRY  *Entry;
   UINTN           RemainingBlock;
   CHAR16          DirentUcs2Name[EXT4_NAME_MAX + 1];
   UINTN           ToCopy;
+  UINTN           BlockOffset;
=20
   Status =3D EFI_NOT_FOUND;
   Buf    =3D AllocatePool (Partition->BlockSize);
@@ -109,14 +140,19 @@ Ext4RetrieveDirent (
       return Status;
     }
=20
-    for (BufPtr =3D Buf; BufPtr < Buf + Partition->BlockSize; ) {
-      Entry =3D (EXT4_DIR_ENTRY *)BufPtr;
-      if (Entry->rec_len =3D=3D 0) {
+    for (BlockOffset =3D 0; BlockOffset < Partition->BlockSize; ) {
+      Entry =3D (EXT4_DIR_ENTRY *)(Buf + BlockOffset);
+      RemainingBlock =3D Partition->BlockSize - BlockOffset;
+      // Check if the minimum directory entry fits inside [BlockOffset, En=
dOfBlock]
+      if (RemainingBlock < EXT4_MIN_DIR_ENTRY_LEN) {
         FreePool (Buf);
         return EFI_VOLUME_CORRUPTED;
       }
=20
-      RemainingBlock =3D Partition->BlockSize - (BufPtr - Buf);
+      if (!Ext4ValidDirent (Entry)) {
+        FreePool (Buf);
+        return EFI_VOLUME_CORRUPTED;
+      }
=20
       if (Entry->name_len > RemainingBlock || Entry->rec_len > RemainingBl=
ock) {
         // Corrupted filesystem
@@ -131,12 +167,13 @@ Ext4RetrieveDirent (
         2) Linux and a number of BSDs also have a filename limit of 255.
       */
       if (Entry->name_len > EXT4_NAME_MAX) {
+        BlockOffset +=3D Entry->rec_len;
         continue;
       }
=20
       // Unused entry
       if (Entry->inode =3D=3D 0) {
-        BufPtr +=3D Entry->rec_len;
+        BlockOffset +=3D Entry->rec_len;
         continue;
       }
=20
@@ -150,7 +187,7 @@ Ext4RetrieveDirent (
       if (EFI_ERROR (Status)) {
         // If we error out, skip this entry
         // I'm not sure if this is correct behaviour, but I don't think th=
ere's a precedent here.
-        BufPtr +=3D Entry->rec_len;
+        BlockOffset +=3D Entry->rec_len;
         continue;
       }
=20
@@ -163,7 +200,7 @@ Ext4RetrieveDirent (
         return EFI_SUCCESS;
       }
=20
-      BufPtr +=3D Entry->rec_len;
+      BlockOffset +=3D Entry->rec_len;
     }
=20
     Off +=3D Partition->BlockSize;
@@ -379,37 +416,6 @@ Ext4OpenVolume (
   return EFI_SUCCESS;
 }
=20
-/**
-   Validates a directory entry.
-
-   @param[in]      Dirent      Pointer to the directory entry.
-
-   @retval TRUE          Valid directory entry.
-           FALSE         Invalid directory entry.
-**/
-STATIC
-BOOLEAN
-Ext4ValidDirent (
-  IN CONST EXT4_DIR_ENTRY  *Dirent
-  )
-{
-  UINTN  RequiredSize;
-
-  RequiredSize =3D Dirent->name_len + EXT4_MIN_DIR_ENTRY_LEN;
-
-  if (Dirent->rec_len < RequiredSize) {
-    DEBUG ((DEBUG_ERROR, "[ext4] dirent size %lu too small (compared to %l=
u)\n", Dirent->rec_len, RequiredSize));
-    return FALSE;
-  }
-
-  // Dirent sizes need to be 4 byte aligned
-  if (Dirent->rec_len % 4) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
-
 /**
    Reads a directory entry.
=20
@@ -481,6 +487,12 @@ Ext4ReadDir (
       goto Out;
     }
=20
+    // Check if the entire dir entry length fits in Len
+    if (Len < EXT4_MIN_DIR_ENTRY_LEN + Entry.name_len) {
+      Status =3D EFI_VOLUME_CORRUPTED;
+      goto Out;
+    }
+
     // We don't care about passing . or .. entries to the caller of ReadDi=
r(),
     // since they're generally useless entries *and* may break things if t=
oo
     // many callers assume FAT32.
--=20
2.33.0



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#79666): https://edk2.groups.io/g/devel/message/79666
Mute This Topic: https://groups.io/mt/85043015/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-