From 8672b06550751eafb9108a1d7864957f2b0fedb3 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 15 Nov 2022 01:56:31 -0500 Subject: [PATCH] import e2fsprogs-1.46.5-3.el9 --- ...-sanity-check-to-extent-manipulation.patch | 57 +++++++++++++++++++ SPECS/e2fsprogs.spec | 7 ++- 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 SOURCES/e2fsprogs-libext2fs-add-sanity-check-to-extent-manipulation.patch diff --git a/SOURCES/e2fsprogs-libext2fs-add-sanity-check-to-extent-manipulation.patch b/SOURCES/e2fsprogs-libext2fs-add-sanity-check-to-extent-manipulation.patch new file mode 100644 index 0000000..5608ac0 --- /dev/null +++ b/SOURCES/e2fsprogs-libext2fs-add-sanity-check-to-extent-manipulation.patch @@ -0,0 +1,57 @@ +From ff6679208f45975a090b1260367f1fc5a17b3db7 Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Thu, 21 Apr 2022 19:31:48 +0200 +Subject: [PATCH] libext2fs: add sanity check to extent manipulation +Content-Type: text/plain + +It is possible to have a corrupted extent tree in such a way that a leaf +node contains zero extents in it. Currently if that happens and we try +to traverse the tree we can end up accessing wrong data, or possibly +even uninitialized memory. Make sure we don't do that. + +Additionally make sure that we have a sane number of bytes passed to +memmove() in ext2fs_extent_delete(). + +Note that e2fsck is currently unable to spot and fix such corruption in +pass1. + +Signed-off-by: Lukas Czerner +Reported-by: Nils Bars +Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2068113 +Addresses: CVE-2022-1304 +Addresses-Debian-Bug: #1010263 +Signed-off-by: Theodore Ts'o +(cherry picked from commit ab51d587bb9b229b1fade1afd02e1574c1ba5c76) +--- + lib/ext2fs/extent.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c +index b324c7b0..1a206a16 100644 +--- a/lib/ext2fs/extent.c ++++ b/lib/ext2fs/extent.c +@@ -495,6 +495,10 @@ retry: + ext2fs_le16_to_cpu(eh->eh_entries); + newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max); + ++ /* Make sure there is at least one extent present */ ++ if (newpath->left <= 0) ++ return EXT2_ET_EXTENT_NO_DOWN; ++ + if (path->left > 0) { + ix++; + newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block); +@@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags) + + cp = path->curr; + ++ /* Sanity check before memmove() */ ++ if (path->left < 0) ++ return EXT2_ET_EXTENT_LEAF_BAD; ++ + if (path->left) { + memmove(cp, cp + sizeof(struct ext3_extent_idx), + path->left * sizeof(struct ext3_extent_idx)); +-- +2.35.3 + diff --git a/SPECS/e2fsprogs.spec b/SPECS/e2fsprogs.spec index a8dc9f3..a5d90fe 100644 --- a/SPECS/e2fsprogs.spec +++ b/SPECS/e2fsprogs.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing ext2, ext3, and ext4 file systems Name: e2fsprogs Version: 1.46.5 -Release: 2%{?dist} +Release: 3%{?dist} # License tags based on COPYING file distinctions for various components License: GPLv2 @@ -41,6 +41,7 @@ BuildRequires: gnupg2 xz Patch0: 0001-Remove-local-PATH.patch Patch1: 0002-man-Add-note-about-RHEL9-supported-features-and-moun.patch Patch2: 0003-mke2fs.conf-Introduce-rhel6-rhel7-and-rhel8-fs_type.patch +Patch3: e2fsprogs-libext2fs-add-sanity-check-to-extent-manipulation.patch %description The e2fsprogs package contains a number of utilities for creating, @@ -173,6 +174,7 @@ xzcat '%{SOURCE0}' | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1} %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 # Remove flawed tests rm -rf tests/m_rootdir_acl @@ -343,6 +345,9 @@ make PRINT_FAILED=yes fullcheck %{_udevdir}/96-e2scrub.rules %changelog +* Fri May 13 2022 Lukas Czerner 1.46.5-3 +- Add sanity check to extent manipulation (#2073549) + * Thu Jan 20 2022 Lukas Czerner - 1.46.5-2 - Rebuild, no changes