From: Darrick J. Wong <djwong@xxxxxxxxxx>
For readlink of slow symlinks, an IO error when reading the link target
cause memory corruption. This happens because the error case for
ext2fs_file_read closes the file, translates the error, but then jumps
down to the regular termination code, which re-closes the file and is
hence a UAF. Straighten out the error paths to eliminate the UAF.
Also fix the bug that short target reads aren't flagged as corruption
as is done in the kernel.
Cc: <linux-ext4@xxxxxxxxxxxxxxx> # v1.43
Fixes: 81cbf1ef4f5dab ("misc: add fuse2fs, a FUSE server for e2fsprogs")
Signed-off-by: "Darrick J. Wong" <djwong@xxxxxxxxxx>
---
misc/fuse2fs.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/misc/fuse2fs.c b/misc/fuse2fs.c
index 4d42a634bf377b..f9da9c1ac051cb 100644
--- a/misc/fuse2fs.c
+++ b/misc/fuse2fs.c
@@ -1086,13 +1086,11 @@ static int op_readlink(const char *path, char *buf, size_t len)
}
err = ext2fs_file_read(file, buf, len, &got);
- if (err || got != len) {
- ext2fs_file_close(file);
+ if (err)
ret = translate_error(fs, ino, err);
- goto out2;
- }
+ else if (got != len)
+ ret = translate_error(fs, ino, EXT2_ET_INODE_CORRUPTED);
-out2:
err = ext2fs_file_close(file);
if (ret)
goto out;
