forked from rpms/e2fsprogs
		
	import e2fsprogs-1.46.5-3.el9
This commit is contained in:
		
							parent
							
								
									ed31c35c12
								
							
						
					
					
						commit
						50c8ba9773
					
				| @ -0,0 +1,57 @@ | ||||
| From ff6679208f45975a090b1260367f1fc5a17b3db7 Mon Sep 17 00:00:00 2001 | ||||
| From: Lukas Czerner <lczerner@redhat.com> | ||||
| Date: Thu, 21 Apr 2022 19:31:48 +0200 | ||||
| Subject: [PATCH] libext2fs: add sanity check to extent manipulation | ||||
| Content-Type: text/plain | ||||
| 
 | ||||
| It is possible to have a corrupted extent tree in such a way that a leaf | ||||
| node contains zero extents in it. Currently if that happens and we try | ||||
| to traverse the tree we can end up accessing wrong data, or possibly | ||||
| even uninitialized memory. Make sure we don't do that. | ||||
| 
 | ||||
| Additionally make sure that we have a sane number of bytes passed to | ||||
| memmove() in ext2fs_extent_delete(). | ||||
| 
 | ||||
| Note that e2fsck is currently unable to spot and fix such corruption in | ||||
| pass1. | ||||
| 
 | ||||
| Signed-off-by: Lukas Czerner <lczerner@redhat.com> | ||||
| Reported-by: Nils Bars <nils_bars@t-online.de> | ||||
| Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2068113 | ||||
| Addresses: CVE-2022-1304 | ||||
| Addresses-Debian-Bug: #1010263 | ||||
| Signed-off-by: Theodore Ts'o <tytso@mit.edu> | ||||
| (cherry picked from commit ab51d587bb9b229b1fade1afd02e1574c1ba5c76) | ||||
| ---
 | ||||
|  lib/ext2fs/extent.c | 8 ++++++++ | ||||
|  1 file changed, 8 insertions(+) | ||||
| 
 | ||||
| diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c
 | ||||
| index b324c7b0..1a206a16 100644
 | ||||
| --- a/lib/ext2fs/extent.c
 | ||||
| +++ b/lib/ext2fs/extent.c
 | ||||
| @@ -495,6 +495,10 @@ retry:
 | ||||
|  			ext2fs_le16_to_cpu(eh->eh_entries); | ||||
|  		newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max); | ||||
|   | ||||
| +		/* Make sure there is at least one extent present */
 | ||||
| +		if (newpath->left <= 0)
 | ||||
| +			return EXT2_ET_EXTENT_NO_DOWN;
 | ||||
| +
 | ||||
|  		if (path->left > 0) { | ||||
|  			ix++; | ||||
|  			newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block); | ||||
| @@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags)
 | ||||
|   | ||||
|  	cp = path->curr; | ||||
|   | ||||
| +	/* Sanity check before memmove() */
 | ||||
| +	if (path->left < 0)
 | ||||
| +		return EXT2_ET_EXTENT_LEAF_BAD;
 | ||||
| +
 | ||||
|  	if (path->left) { | ||||
|  		memmove(cp, cp + sizeof(struct ext3_extent_idx), | ||||
|  			path->left * sizeof(struct ext3_extent_idx)); | ||||
| -- 
 | ||||
| 2.35.3 | ||||
| 
 | ||||
| @ -1,7 +1,7 @@ | ||||
| Summary: Utilities for managing ext2, ext3, and ext4 file systems | ||||
| Name: e2fsprogs | ||||
| Version: 1.46.5 | ||||
| Release: 2%{?dist} | ||||
| Release: 3%{?dist} | ||||
| 
 | ||||
| # License tags based on COPYING file distinctions for various components | ||||
| License: GPLv2 | ||||
| @ -41,6 +41,7 @@ BuildRequires: gnupg2 xz | ||||
| Patch0:	0001-Remove-local-PATH.patch | ||||
| Patch1:	0002-man-Add-note-about-RHEL9-supported-features-and-moun.patch | ||||
| Patch2:	0003-mke2fs.conf-Introduce-rhel6-rhel7-and-rhel8-fs_type.patch | ||||
| Patch3: e2fsprogs-libext2fs-add-sanity-check-to-extent-manipulation.patch | ||||
| 
 | ||||
| %description | ||||
| The e2fsprogs package contains a number of utilities for creating, | ||||
| @ -173,6 +174,7 @@ xzcat '%{SOURCE0}' | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1} | ||||
| %patch0 -p1 | ||||
| %patch1 -p1 | ||||
| %patch2 -p1 | ||||
| %patch3 -p1 | ||||
| 
 | ||||
| # Remove flawed tests | ||||
| rm -rf tests/m_rootdir_acl | ||||
| @ -343,6 +345,9 @@ make PRINT_FAILED=yes fullcheck | ||||
| %{_udevdir}/96-e2scrub.rules | ||||
| 
 | ||||
| %changelog | ||||
| * Fri May 13 2022 Lukas Czerner <lczerner@redhat.com> 1.46.5-3 | ||||
| - Add sanity check to extent manipulation (#2073549) | ||||
| 
 | ||||
| * Thu Jan 20 2022 Lukas Czerner <lczerner@redhat.com> - 1.46.5-2 | ||||
| - Rebuild, no changes | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user