CVE-2015-1572 and other bug fixes

This commit is contained in:
Eric Sandeen 2015-02-24 11:16:17 -06:00
parent 8c974e07ff
commit 18ad4ba0eb
4 changed files with 149 additions and 3 deletions

View File

@ -0,0 +1,51 @@
commit 49d0fe2a14f2a23da2fe299643379b8c1d37df73
Author: Theodore Ts'o <tytso@mit.edu>
Date: Fri Feb 6 12:46:39 2015 -0500
libext2fs: fix potential buffer overflow in closefs()
The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if
s_first_meta_bg is too big" had a typo in the fix for
ext2fs_closefs(). In practice most of the security exposure was from
the openfs path, since this meant if there was a carefully crafted
file system, buffer overrun would be triggered when the file system was
opened.
However, if corrupted file system didn't trip over some corruption
check, and then the file system was modified via tune2fs or debugfs,
such that the superblock was marked dirty and then written out via the
closefs() path, it's possible that the buffer overrun could be
triggered when the file system is closed.
Also clear up a signed vs unsigned warning while we're at it.
Thanks to Nick Kralevich <nnk@google.com> for asking me to look at
compiler warning in the code in question, which led me to notice the
bug in f66e6ce4446.
Addresses: CVE-2015-1572
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c
index 1f99113..ab5b2fb 100644
--- a/lib/ext2fs/closefs.c
+++ b/lib/ext2fs/closefs.c
@@ -287,7 +287,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
dgrp_t j;
#endif
char *group_ptr;
- int old_desc_blocks;
+ blk64_t old_desc_blocks;
struct ext2fs_numeric_progress_struct progress;
EXT2_CHECK_MAGIC(fs, EXT2_ET_MAGIC_EXT2FS_FILSYS);
@@ -346,7 +346,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
group_ptr = (char *) group_shadow;
if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
old_desc_blocks = fs->super->s_first_meta_bg;
- if (old_desc_blocks > fs->super->s_first_meta_bg)
+ if (old_desc_blocks > fs->desc_blocks)
old_desc_blocks = fs->desc_blocks;
} else
old_desc_blocks = fs->desc_blocks;

View File

@ -0,0 +1,25 @@
commit fecb231f6fc83cf4b4ddf7ec34ace3723803a499
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date: Fri Nov 7 21:26:14 2014 -0500
dumpe2fs: don't crash when the user provides no block device argument
If the user doesn't provide any arguments, the guard fails to run and
the whole thing segfaults on ext2fs_open2(). Don't do that.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
diff --git a/misc/dumpe2fs.c b/misc/dumpe2fs.c
index 1eae5a3..4185d6e 100644
--- a/misc/dumpe2fs.c
+++ b/misc/dumpe2fs.c
@@ -575,7 +575,7 @@ int main (int argc, char ** argv)
usage();
}
}
- if (argc - 1 > optind) {
+ if (optind != argc - 1) {
usage();
exit(1);
}

View File

@ -0,0 +1,59 @@
commit 0462fd6db55de28d7e087d8d06ab20339acd8f67
Author: Eric Sandeen <sandeen@sandeen.net>
Date: Sun Dec 14 19:08:59 2014 -0500
resize2fs: don't require fsck to print min size
My previous change ended up requiring that the filesystem
be fsck'd after the last mount, even if we are only querying
the minimum size. This is a bit draconian, and it burned
the Fedora installer, which wants to calculate minimum size
for every filesystem in the box at install time, which in turn
requires a full fsck of every filesystem.
Try this one more time, and separate out the tests to make things
a bit more clear. If we're only printing the min size, don't
require the fsck, as this is a bit less dangerous/critical.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
diff --git a/resize/main.c b/resize/main.c
index 983d8c2..9a35af0 100644
--- a/resize/main.c
+++ b/resize/main.c
@@ -321,10 +321,30 @@ int main (int argc, char ** argv)
}
fs->default_bitmap_type = EXT2FS_BMAP64_RBTREE;
- if (!(mount_flags & EXT2_MF_MOUNTED)) {
- if (!force && ((fs->super->s_lastcheck < fs->super->s_mtime) ||
- (fs->super->s_state & EXT2_ERROR_FS) ||
- ((fs->super->s_state & EXT2_VALID_FS) == 0))) {
+ /*
+ * Before acting on an unmounted filesystem, make sure it's ok,
+ * unless the user is forcing it.
+ *
+ * We do ERROR and VALID checks even if we're only printing the
+ * minimimum size, because traversal of a badly damaged filesystem
+ * can cause issues as well. We don't require it to be fscked after
+ * the last mount time in this case, though, as this is a bit less
+ * risky.
+ */
+ if (!force && !(mount_flags & EXT2_MF_MOUNTED)) {
+ int checkit = 0;
+
+ if (fs->super->s_state & EXT2_ERROR_FS)
+ checkit = 1;
+
+ if ((fs->super->s_state & EXT2_VALID_FS) == 0)
+ checkit = 1;
+
+ if ((fs->super->s_lastcheck < fs->super->s_mtime) &&
+ !print_min_size)
+ checkit = 1;
+
+ if (checkit) {
fprintf(stderr,
_("Please run 'e2fsck -f %s' first.\n\n"),
device_name);

View File

@ -1,7 +1,7 @@
Summary: Utilities for managing ext2, ext3, and ext4 filesystems Summary: Utilities for managing ext2, ext3, and ext4 filesystems
Name: e2fsprogs Name: e2fsprogs
Version: 1.42.12 Version: 1.42.12
Release: 3%{?dist} Release: 4%{?dist}
# License tags based on COPYING file distinctions for various components # License tags based on COPYING file distinctions for various components
License: GPLv2 License: GPLv2
@ -12,6 +12,9 @@ Source2: e2fsck.conf
Patch1: e2fsprogs-1.40.4-sb_feature_check_ignore.patch Patch1: e2fsprogs-1.40.4-sb_feature_check_ignore.patch
Patch2: e2fsprogs-1.42.12-use-after-free-fix.patch Patch2: e2fsprogs-1.42.12-use-after-free-fix.patch
Patch3: e2fsprogs-1.42.12-closefs-cve.patch
Patch4: e2fsprogs-1.42.12-dumpe2fs-segfault.patch
Patch5: e2fsprogs-1.42.12-resize2fs-fsck.patch
Url: http://e2fsprogs.sourceforge.net/ Url: http://e2fsprogs.sourceforge.net/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -152,6 +155,9 @@ It was originally inspired by the Multics SubSystem library.
# after an selinux install... # after an selinux install...
%patch1 -p1 -b .featurecheck %patch1 -p1 -b .featurecheck
%patch2 -p1 %patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build %build
%configure --enable-elf-shlibs --enable-nls --disable-uuidd --disable-fsck \ %configure --enable-elf-shlibs --enable-nls --disable-uuidd --disable-fsck \
@ -333,13 +339,18 @@ exit 0
%{_libdir}/pkgconfig/ss.pc %{_libdir}/pkgconfig/ss.pc
%changelog %changelog
* Tue Feb 24 2015 Eric Sandeen <sandeen@redhat.com> 1.42.12-4
- Fix potential buffer overflow in closefs (#1193947, CVE-2015-1572)
- Fix dumpe2fs segfault with no arguments (#1194063)
- Don't require fsck prior to resize2fs -P (#1170803)
* Sat Feb 21 2015 Till Maas <opensource@till.name> - 1.42.12-3 * Sat Feb 21 2015 Till Maas <opensource@till.name> - 1.42.12-3
- Rebuilt for Fedora 23 Change - Rebuilt for Fedora 23 Change
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
* Tue Feb 17 2015 Eric Sandeen <sandeen@redhat.com> 1.42.12-2 * Tue Feb 17 2015 Eric Sandeen <sandeen@redhat.com> 1.42.12-2
- Fix use after free - Fix use after free (#1192861)
- Re-enable time-based fsck if set in superblock (e2fsck.conf) - Fix time-based fsck if set in superblock (e2fsck.conf, #963283)
* Fri Aug 29 2014 Eric Sandeen <sandeen@redhat.com> 1.42.12-1 * Fri Aug 29 2014 Eric Sandeen <sandeen@redhat.com> 1.42.12-1
- New upstream release - New upstream release