diff --git a/SOURCES/e2fsprogs-1.45.6-Add-checks-for-fs-blocksize-0-which-could-cause-some.patch b/SOURCES/e2fsprogs-1.45.6-Add-checks-for-fs-blocksize-0-which-could-cause-some.patch new file mode 100644 index 0000000..134b911 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-Add-checks-for-fs-blocksize-0-which-could-cause-some.patch @@ -0,0 +1,100 @@ +From 0111635ea5798f98665714e161c3c7746184a04b Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 23 Feb 2021 16:02:42 -0500 +Subject: [PATCH 21/46] Add checks for fs->blocksize == 0 which could cause + some crashes +Content-Type: text/plain + +This should never happeb, but some checks is useful, and also fixes +some Coverity warnings. + +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + debugfs/do_journal.c | 2 -- + lib/ext2fs/csum.c | 3 +++ + lib/ext2fs/ext2_err.et.in | 3 +++ + lib/ext2fs/inode.c | 4 ++++ + misc/e2image.c | 5 +++-- + 5 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/debugfs/do_journal.c b/debugfs/do_journal.c +index 5091a530..8261fa95 100644 +--- a/debugfs/do_journal.c ++++ b/debugfs/do_journal.c +@@ -528,8 +528,6 @@ static errcode_t journal_write(journal_t *journal, + } + + err = journal_close_trans(&trans); +- if (err) +- goto error; + error: + return err; + } +diff --git a/lib/ext2fs/csum.c b/lib/ext2fs/csum.c +index 2151003b..28b3bb05 100644 +--- a/lib/ext2fs/csum.c ++++ b/lib/ext2fs/csum.c +@@ -263,6 +263,9 @@ static errcode_t __get_dirent_tail(ext2_filsys fs, + errcode_t retval = 0; + __u16 (*translate)(__u16) = (need_swab ? disk_to_host16 : do_nothing16); + ++ if (fs->blocksize < 1024) ++ return EXT2_FILSYS_CORRUPTED; /* Should never happen */ ++ + d = dirent; + top = EXT2_DIRENT_TAIL(dirent, fs->blocksize); + +diff --git a/lib/ext2fs/ext2_err.et.in b/lib/ext2fs/ext2_err.et.in +index 0c76fee6..cf0e00ea 100644 +--- a/lib/ext2fs/ext2_err.et.in ++++ b/lib/ext2fs/ext2_err.et.in +@@ -548,4 +548,7 @@ ec EXT2_ET_EA_INODE_CORRUPTED, + ec EXT2_ET_NO_GDESC, + "Group descriptors not loaded" + ++ec EXT2_FILSYS_CORRUPTED, ++ "The internal ext2_filsys data structure appears to be corrupted" ++ + end +diff --git a/lib/ext2fs/inode.c b/lib/ext2fs/inode.c +index c4377eeb..6f42882e 100644 +--- a/lib/ext2fs/inode.c ++++ b/lib/ext2fs/inode.c +@@ -144,6 +144,8 @@ errcode_t ext2fs_open_inode_scan(ext2_filsys fs, int buffer_blocks, + errcode_t (*save_get_blocks)(ext2_filsys f, ext2_ino_t ino, blk_t *blocks); + + EXT2_CHECK_MAGIC(fs, EXT2_ET_MAGIC_EXT2FS_FILSYS); ++ if (fs->blocksize < 1024) ++ return EXT2_FILSYS_CORRUPTED; /* Should never happen */ + + /* + * If fs->badblocks isn't set, then set it --- since the inode +@@ -764,6 +766,8 @@ errcode_t ext2fs_read_inode2(ext2_filsys fs, ext2_ino_t ino, + int cache_slot, fail_csum; + + EXT2_CHECK_MAGIC(fs, EXT2_ET_MAGIC_EXT2FS_FILSYS); ++ if (fs->blocksize < 1024) ++ return EXT2_FILSYS_CORRUPTED; /* Should never happen */ + + /* Check to see if user has an override function */ + if (fs->read_inode && +diff --git a/misc/e2image.c b/misc/e2image.c +index 892c5371..195fabb2 100644 +--- a/misc/e2image.c ++++ b/misc/e2image.c +@@ -892,8 +892,9 @@ static errcode_t initialize_qcow2_image(int fd, ext2_filsys fs, + int cluster_bits = get_bits_from_size(fs->blocksize); + struct ext2_super_block *sb = fs->super; + +- if (fs->blocksize < 1024) +- return EINVAL; /* Can never happen, but just in case... */ ++ /* Sbould never happen, but just in case... */ ++ if (cluster_bits < 0) ++ return EXT2_FILSYS_CORRUPTED; + + /* Allocate header */ + ret = ext2fs_get_memzero(sizeof(struct ext2_qcow2_hdr), &header); +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-Fix-clang-warnings.patch b/SOURCES/e2fsprogs-1.45.6-Fix-clang-warnings.patch new file mode 100644 index 0000000..f4f696a --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-Fix-clang-warnings.patch @@ -0,0 +1,104 @@ +From 1466a142efe5b20ddda2ce96c0d409dc294fd1b2 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 23 Jan 2021 00:57:18 -0500 +Subject: [PATCH 17/46] Fix clang warnings +Content-Type: text/plain + +Clang gets unhappy when passing an unsigned char to string functions. +For better or for worse we use __u8[] in the definition of the +superblock. So cast them these to "char *" to prevent clang +build-time warnings. + +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + e2fsck/unix.c | 2 +- + lib/ext2fs/mmp.c | 8 ++++---- + misc/e2fuzz.c | 3 ++- + misc/mke2fs.c | 4 ++-- + 4 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/e2fsck/unix.c b/e2fsck/unix.c +index e71d7833..15a73e7c 100644 +--- a/e2fsck/unix.c ++++ b/e2fsck/unix.c +@@ -1693,7 +1693,7 @@ failure: + * or informational messages to the user. + */ + if (ctx->device_name == 0 && sb->s_volume_name[0]) +- ctx->device_name = string_copy(ctx, sb->s_volume_name, ++ ctx->device_name = string_copy(ctx, (char *) sb->s_volume_name, + sizeof(sb->s_volume_name)); + + if (ctx->device_name == 0) +diff --git a/lib/ext2fs/mmp.c b/lib/ext2fs/mmp.c +index e96a2273..973b9ecd 100644 +--- a/lib/ext2fs/mmp.c ++++ b/lib/ext2fs/mmp.c +@@ -210,11 +210,11 @@ static errcode_t ext2fs_mmp_reset(ext2_filsys fs) + mmp_s->mmp_seq = EXT4_MMP_SEQ_CLEAN; + mmp_s->mmp_time = 0; + #ifdef HAVE_GETHOSTNAME +- gethostname(mmp_s->mmp_nodename, sizeof(mmp_s->mmp_nodename)); ++ gethostname((char *) mmp_s->mmp_nodename, sizeof(mmp_s->mmp_nodename)); + #else + mmp_s->mmp_nodename[0] = '\0'; + #endif +- strncpy(mmp_s->mmp_bdevname, fs->device_name, ++ strncpy((char *) mmp_s->mmp_bdevname, fs->device_name, + sizeof(mmp_s->mmp_bdevname)); + + mmp_s->mmp_check_interval = fs->super->s_mmp_update_interval; +@@ -352,11 +352,11 @@ clean_seq: + + mmp_s->mmp_seq = seq = ext2fs_mmp_new_seq(); + #ifdef HAVE_GETHOSTNAME +- gethostname(mmp_s->mmp_nodename, sizeof(mmp_s->mmp_nodename)); ++ gethostname((char *) mmp_s->mmp_nodename, sizeof(mmp_s->mmp_nodename)); + #else + strcpy(mmp_s->mmp_nodename, "unknown host"); + #endif +- strncpy(mmp_s->mmp_bdevname, fs->device_name, ++ strncpy((char *) mmp_s->mmp_bdevname, fs->device_name, + sizeof(mmp_s->mmp_bdevname)); + + retval = ext2fs_mmp_write(fs, fs->super->s_mmp_block, fs->mmp_buf); +diff --git a/misc/e2fuzz.c b/misc/e2fuzz.c +index 7c0f776f..65b6ae73 100644 +--- a/misc/e2fuzz.c ++++ b/misc/e2fuzz.c +@@ -172,7 +172,8 @@ static uint64_t rand_num(uint64_t min, uint64_t max) + for (i = 0; i < sizeof(x); i++) + px[i] = random(); + +- return min + (uint64_t)((double)(max - min) * (x / (UINT64_MAX + 1.0))); ++ return min + (uint64_t)((double)(max - min) * ++ (x / ((double) UINT64_MAX + 1.0))); + } + + static int process_fs(const char *fsname) +diff --git a/misc/mke2fs.c b/misc/mke2fs.c +index 27e7d174..0184a3a8 100644 +--- a/misc/mke2fs.c ++++ b/misc/mke2fs.c +@@ -3151,7 +3151,7 @@ int main (int argc, char *argv[]) + if (volume_label) { + memset(fs->super->s_volume_name, 0, + sizeof(fs->super->s_volume_name)); +- strncpy(fs->super->s_volume_name, volume_label, ++ strncpy((char *) fs->super->s_volume_name, volume_label, + sizeof(fs->super->s_volume_name)); + } + +@@ -3161,7 +3161,7 @@ int main (int argc, char *argv[]) + if (mount_dir) { + memset(fs->super->s_last_mounted, 0, + sizeof(fs->super->s_last_mounted)); +- strncpy(fs->super->s_last_mounted, mount_dir, ++ strncpy((char *) fs->super->s_last_mounted, mount_dir, + sizeof(fs->super->s_last_mounted)); + } + +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-append_pathname-check-the-value-returned-by-realloc.patch b/SOURCES/e2fsprogs-1.45.6-append_pathname-check-the-value-returned-by-realloc.patch new file mode 100644 index 0000000..cfcc1f1 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-append_pathname-check-the-value-returned-by-realloc.patch @@ -0,0 +1,48 @@ +From c74301ce5020c499445eb5c32bd70e4a1099a62d Mon Sep 17 00:00:00 2001 +From: wuguanghao +Date: Wed, 30 Jun 2021 16:27:18 +0800 +Subject: [PATCH 29/46] append_pathname: check the value returned by realloc +Content-Type: text/plain + +In append_pathname(), we need to add a new path to save the value +returned by realloc, otherwise the name->path may be NULL, causing +a segfault. + +Signed-off-by: Wu Guanghao +Signed-off-by: Zhiqiang Liu +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + contrib/fsstress.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/contrib/fsstress.c b/contrib/fsstress.c +index 2a983482..2136a903 100644 +--- a/contrib/fsstress.c ++++ b/contrib/fsstress.c +@@ -599,6 +599,7 @@ void add_to_flist(int ft, int id, int parent) + void append_pathname(pathname_t * name, char *str) + { + int len; ++ char *path; + + len = strlen(str); + #ifdef DEBUG +@@ -609,7 +610,13 @@ void append_pathname(pathname_t * name, char *str) + + } + #endif +- name->path = realloc(name->path, name->len + 1 + len); ++ path = realloc(name->path, name->len + 1 + len); ++ if (path == NULL) { ++ fprintf(stderr, "fsstress: append_pathname realloc failed\n"); ++ chdir(homedir); ++ abort(); ++ } ++ name->path = path; + strcpy(&name->path[name->len], str); + name->len += len; + } +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-argv_parse-check-return-value-of-malloc-in-argv_pars.patch b/SOURCES/e2fsprogs-1.45.6-argv_parse-check-return-value-of-malloc-in-argv_pars.patch new file mode 100644 index 0000000..11816ee --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-argv_parse-check-return-value-of-malloc-in-argv_pars.patch @@ -0,0 +1,34 @@ +From 9e298ba470a6abc7d94fe659cf65fcb0b993c0b8 Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Wed, 30 Jun 2021 16:27:19 +0800 +Subject: [PATCH 30/46] argv_parse: check return value of malloc in + argv_parse() +Content-Type: text/plain + +In argv_parse(), return value of malloc should be checked +whether it is NULL, otherwise, it may cause a segfault error. + +Signed-off-by: Zhiqiang Liu +Signed-off-by: Wu Guanghao +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + lib/support/argv_parse.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/support/argv_parse.c b/lib/support/argv_parse.c +index d22f6344..1f50f9e5 100644 +--- a/lib/support/argv_parse.c ++++ b/lib/support/argv_parse.c +@@ -116,6 +116,8 @@ int argv_parse(char *in_buf, int *ret_argc, char ***ret_argv) + if (argv == 0) { + argv = malloc(sizeof(char *)); + free(buf); ++ if (!argv) ++ return -1; + } + argv[argc] = 0; + if (ret_argc) +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-create_inode-set-xattrs-to-the-root-directory-as-wel.patch b/SOURCES/e2fsprogs-1.45.6-create_inode-set-xattrs-to-the-root-directory-as-wel.patch new file mode 100644 index 0000000..00eab72 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-create_inode-set-xattrs-to-the-root-directory-as-wel.patch @@ -0,0 +1,47 @@ +From ade5263a516e4081abc14f63a73a5e0a96bb3f71 Mon Sep 17 00:00:00 2001 +From: Antoine Tenart +Date: Fri, 17 Jul 2020 12:08:46 +0200 +Subject: [PATCH 13/46] create_inode: set xattrs to the root directory as well +Content-Type: text/plain + +populate_fs do copy the xattrs for all files and directories, but the +root directory is skipped and as a result its extended attributes aren't +set. This is an issue when using mkfs to build a full system image that +can be used with SElinux in enforcing mode without making any runtime +fix at first boot. + +This patch adds logic to set the root directory's extended attributes. + +Signed-off-by: Antoine Tenart +Reviewed-by: Andreas Dilger +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + misc/create_inode.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/misc/create_inode.c b/misc/create_inode.c +index 837f3875..6f8487b9 100644 +--- a/misc/create_inode.c ++++ b/misc/create_inode.c +@@ -1050,9 +1050,17 @@ errcode_t populate_fs2(ext2_filsys fs, ext2_ino_t parent_ino, + file_info.path_max_len = 255; + file_info.path = calloc(file_info.path_max_len, 1); + ++ retval = set_inode_xattr(fs, root, source_dir); ++ if (retval) { ++ com_err(__func__, retval, ++ _("while copying xattrs on root directory")); ++ goto out; ++ } ++ + retval = __populate_fs(fs, parent_ino, source_dir, root, &hdlinks, + &file_info, fs_callbacks); + ++out: + free(file_info.path); + free(hdlinks.hdl); + return retval; +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-debugfs-fix-double-free-in-realloc-error-path-in-rea.patch b/SOURCES/e2fsprogs-1.45.6-debugfs-fix-double-free-in-realloc-error-path-in-rea.patch new file mode 100644 index 0000000..1ca7351 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-debugfs-fix-double-free-in-realloc-error-path-in-rea.patch @@ -0,0 +1,35 @@ +From 4126c63885388e568ade780e9fed6ede37faf978 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 21 Jan 2021 16:01:14 -0500 +Subject: [PATCH 16/46] debugfs: fix double free in realloc() error path in + read_list() +Content-Type: text/plain + +Fixes-Coverity-Bug: 1464575 +Fixes-Coverity-Bug: 1464571 +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + debugfs/util.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/debugfs/util.c b/debugfs/util.c +index 759bb392..091f6f65 100644 +--- a/debugfs/util.c ++++ b/debugfs/util.c +@@ -545,10 +545,8 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len) + goto err; + } + l = realloc(lst, sizeof(blk64_t) * (ln + y - x + 1)); +- if (l == NULL) { +- retval = ENOMEM; +- goto err; +- } ++ if (l == NULL) ++ return ENOMEM; + lst = l; + for (; x <= y; x++) + lst[ln++] = x; +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-debugfs-fix-memory-allocation-failures-when-parsing-.patch b/SOURCES/e2fsprogs-1.45.6-debugfs-fix-memory-allocation-failures-when-parsing-.patch new file mode 100644 index 0000000..624db65 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-debugfs-fix-memory-allocation-failures-when-parsing-.patch @@ -0,0 +1,92 @@ +From b31f493cadc92023056a096d0281957c49fca22c Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 12 Feb 2021 21:43:00 -0500 +Subject: [PATCH 19/46] debugfs: fix memory allocation failures when parsing + journal_write arguments +Content-Type: text/plain + +Fix double-free issues when parsing an invalid journal_write command, +such as: "journal_write -b 12 -b BAD -b 42". + +Addresses-Coverity-Bug: 1464571 +Addresses-Coverity-Bug: 1464575 +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + debugfs/do_journal.c | 8 ++++++-- + debugfs/util.c | 15 +++++++-------- + 2 files changed, 13 insertions(+), 10 deletions(-) + +diff --git a/debugfs/do_journal.c b/debugfs/do_journal.c +index 15ef6829..5091a530 100644 +--- a/debugfs/do_journal.c ++++ b/debugfs/do_journal.c +@@ -554,15 +554,19 @@ void do_journal_write(int argc, char *argv[], int sci_idx EXT2FS_ATTR((unused)), + switch (opt) { + case 'b': + err = read_list(optarg, &blist, &bn); +- if (err) ++ if (err) { + com_err(argv[0], err, + "while reading block list"); ++ goto out; ++ } + break; + case 'r': + err = read_list(optarg, &rlist, &rn); +- if (err) ++ if (err) { + com_err(argv[0], err, + "while reading revoke list"); ++ goto out; ++ } + break; + case 'c': + flags |= JOURNAL_WRITE_NO_COMMIT; +diff --git a/debugfs/util.c b/debugfs/util.c +index 091f6f65..bbb20ff6 100644 +--- a/debugfs/util.c ++++ b/debugfs/util.c +@@ -521,7 +521,7 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len) + blk64_t *lst = *list; + size_t ln = *len; + char *tok, *p = str; +- errcode_t retval; ++ errcode_t retval = 0; + + while ((tok = strtok(p, ","))) { + blk64_t *l; +@@ -538,15 +538,17 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len) + return errno; + } else if (*e != 0) { + retval = EINVAL; +- goto err; ++ break; + } + if (y < x) { + retval = EINVAL; +- goto err; ++ break; + } + l = realloc(lst, sizeof(blk64_t) * (ln + y - x + 1)); +- if (l == NULL) +- return ENOMEM; ++ if (l == NULL) { ++ retval = ENOMEM; ++ break; ++ } + lst = l; + for (; x <= y; x++) + lst[ln++] = x; +@@ -555,8 +557,5 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len) + + *list = lst; + *len = ln; +- return 0; +-err: +- free(lst); + return retval; + } +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-debugfs-fix-memory-leak-problem-in-read_list.patch b/SOURCES/e2fsprogs-1.45.6-debugfs-fix-memory-leak-problem-in-read_list.patch new file mode 100644 index 0000000..5847307 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-debugfs-fix-memory-leak-problem-in-read_list.patch @@ -0,0 +1,46 @@ +From 9221fb77a7187957ed84e45bf6ad6f5e37755e5c Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Sat, 20 Feb 2021 16:41:29 +0800 +Subject: [PATCH 22/46] debugfs: fix memory leak problem in read_list() +Content-Type: text/plain + +In read_list func, if strtoull() fails in while loop, +we will return the error code directly. Then, memory of +variable lst will be leaked without setting to *list. + +Signed-off-by: Zhiqiang Liu +Signed-off-by: linfeilong +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + debugfs/util.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/debugfs/util.c b/debugfs/util.c +index bbb20ff6..37620295 100644 +--- a/debugfs/util.c ++++ b/debugfs/util.c +@@ -530,12 +530,16 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len) + + errno = 0; + y = x = strtoull(tok, &e, 0); +- if (errno) +- return errno; ++ if (errno) { ++ retval = errno; ++ break; ++ } + if (*e == '-') { + y = strtoull(e + 1, NULL, 0); +- if (errno) +- return errno; ++ if (errno) { ++ retval = errno; ++ break; ++ } + } else if (*e != 0) { + retval = EINVAL; + break; +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-debugfs-fix-parse_uint-for-64-bit-fields.patch b/SOURCES/e2fsprogs-1.45.6-debugfs-fix-parse_uint-for-64-bit-fields.patch new file mode 100644 index 0000000..f84eec3 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-debugfs-fix-parse_uint-for-64-bit-fields.patch @@ -0,0 +1,54 @@ +From c78e3e170a63bb1804b47d4f5a6652aad0e4d3b2 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 6 Oct 2020 08:29:09 -0400 +Subject: [PATCH 12/46] debugfs: fix parse_uint for 64-bit fields +Content-Type: text/plain + +The logic for handling 64-bit structure elements was reversed, which +caused attempts to set fields like kbytes_written to fail: + + % debugfs -w /tmp/foo.img + debugfs 1.45.6 (20-Mar-2020) + debugfs: set_super_value kbytes_written 1024 + 64-bit field kbytes_written has a second 64-bit field + defined; BUG?!? + +https://github.com/tytso/e2fsprogs/issues/36 + +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + debugfs/set_fields.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/debugfs/set_fields.c b/debugfs/set_fields.c +index 5142554d..281f2c5d 100644 +--- a/debugfs/set_fields.c ++++ b/debugfs/set_fields.c +@@ -487,10 +487,7 @@ static errcode_t parse_uint(struct field_set_info *info, char *field, + n = num & mask; + switch (size) { + case 8: +- /* Should never get here */ +- fprintf(stderr, "64-bit field %s has a second 64-bit field\n" +- "defined; BUG?!?\n", info->name); +- *u.ptr64 = 0; ++ *u.ptr64 = n; + break; + case 4: + *u.ptr32 = n; +@@ -510,7 +507,10 @@ static errcode_t parse_uint(struct field_set_info *info, char *field, + size = 2; + switch (size) { + case 8: +- *u.ptr64 = n; ++ /* Should never get here */ ++ fprintf(stderr, "64-bit field %s has a second 64-bit field\n" ++ "defined; BUG?!?\n", info->name); ++ *u.ptr64 = 0; + break; + case 4: + *u.ptr32 = n; +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-e2fsck-add-maximum-string-length-specifiers-to-fscan.patch b/SOURCES/e2fsprogs-1.45.6-e2fsck-add-maximum-string-length-specifiers-to-fscan.patch new file mode 100644 index 0000000..6a77f19 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-e2fsck-add-maximum-string-length-specifiers-to-fscan.patch @@ -0,0 +1,42 @@ +From c9d064c7a4e4ffbfaf95098c57381ee5394a1346 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 10 Aug 2021 15:36:46 -0400 +Subject: [PATCH 45/46] e2fsck: add maximum string length specifiers to fscanf + format strings +Content-Type: text/plain + +When parsing strings from /proc/apm and /proc/acpi/ac_adapter, add +string length limits to prevent possible buffer overruns. + +Addresses-Coverty-Bug: 1297496 +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + e2fsck/unix.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/e2fsck/unix.c b/e2fsck/unix.c +index 15a73e7c..ddd384b1 100644 +--- a/e2fsck/unix.c ++++ b/e2fsck/unix.c +@@ -302,7 +302,7 @@ static int is_on_batt(void) + } + f = fopen("/proc/apm", "r"); + if (f) { +- if (fscanf(f, "%s %s %s %x", tmp, tmp, tmp, &acflag) != 4) ++ if (fscanf(f, "%79s %79s %79s %x", tmp, tmp, tmp, &acflag) != 4) + acflag = 1; + fclose(f); + return (acflag != 1); +@@ -318,7 +318,7 @@ static int is_on_batt(void) + f = fopen(fname, "r"); + if (!f) + continue; +- if (fscanf(f, "%s %s", tmp2, tmp) != 2) ++ if (fscanf(f, "%79s %79s", tmp2, tmp) != 2) + tmp[0] = 0; + fclose(f); + if (strncmp(tmp, "off-line", 8) == 0) { +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-e2fsck-fix-indexed-dir-rehash-failure-with-metadata_.patch b/SOURCES/e2fsprogs-1.45.6-e2fsck-fix-indexed-dir-rehash-failure-with-metadata_.patch new file mode 100644 index 0000000..31af3a6 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-e2fsck-fix-indexed-dir-rehash-failure-with-metadata_.patch @@ -0,0 +1,43 @@ +From 5ddac7d248ad346b80702a397c886df4d1ec4f08 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 13 Feb 2020 11:15:57 +0100 +Subject: [PATCH 05/46] e2fsck: fix indexed dir rehash failure with + metadata_csum enabled +Content-Type: text/plain + +E2fsck directory rehashing code can fail with ENOSPC due to a bug in +ext2fs_htree_intnode_maxrecs() which fails to take metadata checksum +into account and thus e.g. e2fsck can decide to create 1 indirect level +of index tree when two are actually needed. Fix the logic to account for +metadata checksum. + +Reviewed-by: Andreas Dilger +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + lib/ext2fs/ext2fs.h | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/lib/ext2fs/ext2fs.h b/lib/ext2fs/ext2fs.h +index 32c75171..d9aec525 100644 +--- a/lib/ext2fs/ext2fs.h ++++ b/lib/ext2fs/ext2fs.h +@@ -2040,7 +2040,13 @@ _INLINE_ blk_t ext2fs_inode_data_blocks(ext2_filsys fs, + + _INLINE_ int ext2fs_htree_intnode_maxrecs(ext2_filsys fs, int blocks) + { +- return blocks * ((fs->blocksize - 8) / sizeof(struct ext2_dx_entry)); ++ int csum_size = 0; ++ ++ if ((EXT2_SB(fs->super)->s_feature_ro_compat & ++ EXT4_FEATURE_RO_COMPAT_METADATA_CSUM) != 0) ++ csum_size = sizeof(struct ext2_dx_tail); ++ return blocks * ((fs->blocksize - (8 + csum_size)) / ++ sizeof(struct ext2_dx_entry)); + } + + /* +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-e2fsck-fix-last-mount-write-time-when-e2fsck-is-forc.patch b/SOURCES/e2fsprogs-1.45.6-e2fsck-fix-last-mount-write-time-when-e2fsck-is-forc.patch new file mode 100644 index 0000000..8babe73 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-e2fsck-fix-last-mount-write-time-when-e2fsck-is-forc.patch @@ -0,0 +1,64 @@ +From b93c62c3d46ed363a88668d41a87500eb5d29f98 Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Mon, 14 Jun 2021 15:27:25 +0200 +Subject: [PATCH 26/46] e2fsck: fix last mount/write time when e2fsck is forced +Content-Type: text/plain + +With commit c52d930f e2fsck is no longer able to fix bad last +mount/write time by default because it is conditioned on s_checkinterval +not being zero, which it is by default. + +One place where it matters is when other e2fsprogs tools require to run +full file system check before a certain operation. If the last mount +time is for any reason in future, it will not allow it to run even if +full e2fsck is ran. + +Fix it by checking the last mount/write time when the e2fsck is forced, +except for the case where we know the system clock is broken. + +[ Reworked the conditionals so error messages claiming that the last + write/mount time were corrupted wouldn't be always printed when the + e2fsck was run with the -f option, thus causing 299 out of 372 + regression tests to fail. -- TYT ] + +Fixes: c52d930f ("e2fsck: don't check for future superblock times if checkinterval == 0") +Reported-by: Dusty Mabe +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +--- + e2fsck/super.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/e2fsck/super.c b/e2fsck/super.c +index e1c3f935..31e2ffb2 100644 +--- a/e2fsck/super.c ++++ b/e2fsck/super.c +@@ -1038,9 +1038,9 @@ void check_super_block(e2fsck_t ctx) + * Check to see if the superblock last mount time or last + * write time is in the future. + */ +- if (!broken_system_clock && fs->super->s_checkinterval && +- !(ctx->flags & E2F_FLAG_TIME_INSANE) && +- fs->super->s_mtime > (__u32) ctx->now) { ++ if (((ctx->options & E2F_OPT_FORCE) || fs->super->s_checkinterval) && ++ !broken_system_clock && !(ctx->flags & E2F_FLAG_TIME_INSANE) && ++ (fs->super->s_mtime > (__u32) ctx->now)) { + pctx.num = fs->super->s_mtime; + problem = PR_0_FUTURE_SB_LAST_MOUNT; + if (fs->super->s_mtime <= (__u32) ctx->now + ctx->time_fudge) +@@ -1050,9 +1050,9 @@ void check_super_block(e2fsck_t ctx) + fs->flags |= EXT2_FLAG_DIRTY; + } + } +- if (!broken_system_clock && fs->super->s_checkinterval && +- !(ctx->flags & E2F_FLAG_TIME_INSANE) && +- fs->super->s_wtime > (__u32) ctx->now) { ++ if (((ctx->options & E2F_OPT_FORCE) || fs->super->s_checkinterval) && ++ !broken_system_clock && !(ctx->flags & E2F_FLAG_TIME_INSANE) && ++ (fs->super->s_wtime > (__u32) ctx->now)) { + pctx.num = fs->super->s_wtime; + problem = PR_0_FUTURE_SB_LAST_WRITE; + if (fs->super->s_wtime <= (__u32) ctx->now + ctx->time_fudge) +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-e2fsck-fix-off-by-one-check-when-validating-depth-of.patch b/SOURCES/e2fsprogs-1.45.6-e2fsck-fix-off-by-one-check-when-validating-depth-of.patch new file mode 100644 index 0000000..d674ef2 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-e2fsck-fix-off-by-one-check-when-validating-depth-of.patch @@ -0,0 +1,31 @@ +From 669a17d35cdfd9cf5b76e97016fae2df2d72e768 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 10 Apr 2020 00:30:52 -0400 +Subject: [PATCH 07/46] e2fsck: fix off-by-one check when validating depth of + an htree +Content-Type: text/plain + +Fixes: 3f0cf6475399 ("e2fsprogs: add support for 3-level htree") + +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + e2fsck/pass1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/e2fsck/pass1.c b/e2fsck/pass1.c +index c9e8bf82..38afda48 100644 +--- a/e2fsck/pass1.c ++++ b/e2fsck/pass1.c +@@ -2685,7 +2685,7 @@ static int handle_htree(e2fsck_t ctx, struct problem_context *pctx, + return 1; + + pctx->num = root->indirect_levels; +- if ((root->indirect_levels > ext2_dir_htree_level(fs)) && ++ if ((root->indirect_levels >= ext2_dir_htree_level(fs)) && + fix_problem(ctx, PR_1_HTREE_DEPTH, pctx)) + return 1; + +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-e2fsck-use-size_t-instead-of-int-in-string_copy.patch b/SOURCES/e2fsprogs-1.45.6-e2fsck-use-size_t-instead-of-int-in-string_copy.patch new file mode 100644 index 0000000..4f1f2e2 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-e2fsck-use-size_t-instead-of-int-in-string_copy.patch @@ -0,0 +1,47 @@ +From 8a97e4f67f75a4584f7562b7e5d866431c88152e Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Fri, 5 Jun 2020 10:14:40 +0200 +Subject: [PATCH 09/46] e2fsck: use size_t instead of int in string_copy() +Content-Type: text/plain + +len argument in string_copy() is int, but it is used with malloc(), +strlen(), strncpy() and some callers use sizeof() to pass value in. So +it really ought to be size_t rather than int. Fix it. + +Signed-off-by: Lukas Czerner +Reviewed-by: Andreas Dilger +Signed-off-by: Theodore Ts'o +--- + e2fsck/e2fsck.h | 2 +- + e2fsck/util.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/e2fsck/e2fsck.h b/e2fsck/e2fsck.h +index feb605c7..7e0895c2 100644 +--- a/e2fsck/e2fsck.h ++++ b/e2fsck/e2fsck.h +@@ -608,7 +608,7 @@ extern void log_err(e2fsck_t ctx, const char *fmt, ...) + extern void e2fsck_read_bitmaps(e2fsck_t ctx); + extern void e2fsck_write_bitmaps(e2fsck_t ctx); + extern void preenhalt(e2fsck_t ctx); +-extern char *string_copy(e2fsck_t ctx, const char *str, int len); ++extern char *string_copy(e2fsck_t ctx, const char *str, size_t len); + extern int fs_proc_check(const char *fs_name); + extern int check_for_modules(const char *fs_name); + #ifdef RESOURCE_TRACK +diff --git a/e2fsck/util.c b/e2fsck/util.c +index d98b8e47..88e0ea8a 100644 +--- a/e2fsck/util.c ++++ b/e2fsck/util.c +@@ -135,7 +135,7 @@ void *e2fsck_allocate_memory(e2fsck_t ctx, unsigned long size, + } + + char *string_copy(e2fsck_t ctx EXT2FS_ATTR((unused)), +- const char *str, int len) ++ const char *str, size_t len) + { + char *ret; + +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-e2image-fix-overflow-in-l2-table-processing.patch b/SOURCES/e2fsprogs-1.45.6-e2image-fix-overflow-in-l2-table-processing.patch new file mode 100644 index 0000000..3862507 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-e2image-fix-overflow-in-l2-table-processing.patch @@ -0,0 +1,38 @@ +From 1a97380b1cc4d167697e31e5fb663e805629c1ab Mon Sep 17 00:00:00 2001 +From: Artem Blagodarenko +Date: Thu, 22 Apr 2021 01:24:48 -0400 +Subject: [PATCH 25/46] e2image: fix overflow in l2 table processing +Content-Type: text/plain + +For a large partition during e2image capture process +it is possible to overflow offset at multiply operation. +This leads to the situation when data is written to the +position at the start of the image instead of the image end. + +Let's use the right cast to avoid integer overflow. + +Signed-off-by: Alexey Lyashkov +Signed-off-by: Artem Blagodarenko +HPE-bug-id: LUS-9368 +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + lib/ext2fs/qcow2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/ext2fs/qcow2.c b/lib/ext2fs/qcow2.c +index ee701f7a..20824170 100644 +--- a/lib/ext2fs/qcow2.c ++++ b/lib/ext2fs/qcow2.c +@@ -238,7 +238,7 @@ int qcow2_write_raw_image(int qcow2_fd, int raw_fd, + if (offset == 0) + continue; + +- off_out = (l1_index * img.l2_size) + ++ off_out = ((__u64)l1_index * img.l2_size) + + l2_index; + off_out <<= img.cluster_bits; + ret = qcow2_copy_data(qcow2_fd, raw_fd, offset, +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-ext2ed-fix-potential-NULL-pointer-dereference-in-dup.patch b/SOURCES/e2fsprogs-1.45.6-ext2ed-fix-potential-NULL-pointer-dereference-in-dup.patch new file mode 100644 index 0000000..bb6b713 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-ext2ed-fix-potential-NULL-pointer-dereference-in-dup.patch @@ -0,0 +1,34 @@ +From c0a66f76f9c5b2ed0c2f20d1b59b4715f10a60f7 Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Wed, 30 Jun 2021 16:27:24 +0800 +Subject: [PATCH 33/46] ext2ed: fix potential NULL pointer dereference in + dupstr() +Content-Type: text/plain + +In dupstr(), we should check return value of malloc(). + +Signed-off-by: Zhiqiang Liu +Signed-off-by: Wu Guanghao +Reviewed-by: Wu Bo +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + ext2ed/main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ext2ed/main.c b/ext2ed/main.c +index f7e7d7df..9d33a8e1 100644 +--- a/ext2ed/main.c ++++ b/ext2ed/main.c +@@ -524,6 +524,8 @@ char *dupstr (char *src) + char *ptr; + + ptr=(char *) malloc (strlen (src)+1); ++ if (!ptr) ++ return NULL; + strcpy (ptr,src); + return (ptr); + } +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-filefrag-handle-invalid-st_dev-and-blksize-cases.patch b/SOURCES/e2fsprogs-1.45.6-filefrag-handle-invalid-st_dev-and-blksize-cases.patch new file mode 100644 index 0000000..a05c390 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-filefrag-handle-invalid-st_dev-and-blksize-cases.patch @@ -0,0 +1,54 @@ +From 381bc5d98b2a8a65b1f559e31e67361a761aefee Mon Sep 17 00:00:00 2001 +From: Luis Henriques +Date: Wed, 28 Oct 2020 15:55:50 +0000 +Subject: [PATCH 14/46] filefrag: handle invalid st_dev and blksize cases +Content-Type: text/plain + +It is possible to crash filefrag with a "Floating point exception" in +two different scenarios: + +1. When fstat() returns a device ID set to 0 +2. When FIGETBSZ ioctl returns a blocksize of 0 + +In both scenarios a divide-by-zero will occur in frag_report() because +variable blksize will be set to zero. + +I've managed to trigger this crash with an old CephFS kernel client, +using xfstest generic/519. The first scenario has been fixed by kernel +commit 75c9627efb72 ("ceph: map snapid to anonymous bdev ID"). The +second scenario is also fixed with commit 8f97d1e99149 ("vfs: fix +FIGETBSZ ioctl on an overlayfs file"). + +However, it is desirable to handle these two scenarios gracefully by +checking these conditions explicitly. + +Signed-off-by: Luis Henriques +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + misc/filefrag.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/misc/filefrag.c b/misc/filefrag.c +index 032535f3..a5b9bfe9 100644 +--- a/misc/filefrag.c ++++ b/misc/filefrag.c +@@ -418,13 +418,13 @@ static int frag_report(const char *filename) + goto out_close; + } + +- if (last_device != st.st_dev) { ++ if ((last_device != st.st_dev) || !st.st_dev) { + if (fstatfs(fd, &fsinfo) < 0) { + rc = -errno; + perror("fstatfs"); + goto out_close; + } +- if (ioctl(fd, FIGETBSZ, &blksize) < 0) ++ if ((ioctl(fd, FIGETBSZ, &blksize) < 0) || !blksize) + blksize = fsinfo.f_bsize; + if (verbose) + printf("Filesystem type is: %lx\n", +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-lib-ss-error.c-check-return-value-malloc-in-ss_name.patch b/SOURCES/e2fsprogs-1.45.6-lib-ss-error.c-check-return-value-malloc-in-ss_name.patch new file mode 100644 index 0000000..b476690 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-lib-ss-error.c-check-return-value-malloc-in-ss_name.patch @@ -0,0 +1,33 @@ +From 693c06539f0c168c6edf32d25b4c64835a1e3f31 Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Wed, 30 Jun 2021 16:27:21 +0800 +Subject: [PATCH 32/46] lib/ss/error.c: check return value malloc in ss_name() +Content-Type: text/plain + +In ss_name(), we should check return value of malloc(), +otherwise, it may cause a segmentation fault problem. + +Signed-off-by: Zhiqiang Liu +Signed-off-by: Wu Guanghao +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + lib/ss/error.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/ss/error.c b/lib/ss/error.c +index 8d345a9f..656b71be 100644 +--- a/lib/ss/error.c ++++ b/lib/ss/error.c +@@ -42,6 +42,8 @@ char *ss_name(int sci_idx) + (strlen(infop->subsystem_name)+ + strlen(infop->current_request)+ + 4)); ++ if (ret_val == (char *)NULL) ++ return ((char *)NULL); + cp = ret_val; + cp1 = infop->subsystem_name; + while (*cp1) +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-libext2fs-add-sanity-check-to-extent-manipulation.patch b/SOURCES/e2fsprogs-1.45.6-libext2fs-add-sanity-check-to-extent-manipulation.patch new file mode 100644 index 0000000..fa47b22 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-libext2fs-add-sanity-check-to-extent-manipulation.patch @@ -0,0 +1,56 @@ +From 265fcf9204fd06f574578ebe780f24e62bac2e86 Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Thu, 21 Apr 2022 19:31:48 +0200 +Subject: [PATCH 1/2] libext2fs: add sanity check to extent manipulation +Content-Type: text/plain + +It is possible to have a corrupted extent tree in such a way that a leaf +node contains zero extents in it. Currently if that happens and we try +to traverse the tree we can end up accessing wrong data, or possibly +even uninitialized memory. Make sure we don't do that. + +Additionally make sure that we have a sane number of bytes passed to +memmove() in ext2fs_extent_delete(). + +Note that e2fsck is currently unable to spot and fix such corruption in +pass1. + +Signed-off-by: Lukas Czerner +Reported-by: Nils Bars +Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2068113 +Addresses: CVE-2022-1304 +Addresses-Debian-Bug: #1010263 +Signed-off-by: Theodore Ts'o +--- + lib/ext2fs/extent.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c +index ac3dbfec..a1b1905c 100644 +--- a/lib/ext2fs/extent.c ++++ b/lib/ext2fs/extent.c +@@ -495,6 +495,10 @@ retry: + ext2fs_le16_to_cpu(eh->eh_entries); + newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max); + ++ /* Make sure there is at least one extent present */ ++ if (newpath->left <= 0) ++ return EXT2_ET_EXTENT_NO_DOWN; ++ + if (path->left > 0) { + ix++; + newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block); +@@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags) + + cp = path->curr; + ++ /* Sanity check before memmove() */ ++ if (path->left < 0) ++ return EXT2_ET_EXTENT_LEAF_BAD; ++ + if (path->left) { + memmove(cp, cp + sizeof(struct ext3_extent_idx), + path->left * sizeof(struct ext3_extent_idx)); +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-libext2fs-don-t-needlessly-byte-swap-the-group-descr.patch b/SOURCES/e2fsprogs-1.45.6-libext2fs-don-t-needlessly-byte-swap-the-group-descr.patch new file mode 100644 index 0000000..c88f9a3 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-libext2fs-don-t-needlessly-byte-swap-the-group-descr.patch @@ -0,0 +1,58 @@ +From 1aecdcc5c805e5e2114dd14877e9e1771fb519bf Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 16 Jan 2020 19:17:26 -0500 +Subject: [PATCH 04/46] libext2fs: don't needlessly byte swap the group + descriptors in ext2fs_flush +Content-Type: text/plain + +If the EXT2_FLAG_SUPER_ONLY is set, there's no reason to allocate the +shadow block group descriptors and byte swap the group descriptors. + +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + lib/ext2fs/closefs.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c +index 6814cdc3..69cbdd8c 100644 +--- a/lib/ext2fs/closefs.c ++++ b/lib/ext2fs/closefs.c +@@ -331,20 +331,24 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags) + #ifdef WORDS_BIGENDIAN + retval = EXT2_ET_NO_MEMORY; + retval = ext2fs_get_mem(SUPERBLOCK_SIZE, &super_shadow); +- if (retval) +- goto errout; +- retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize, +- &group_shadow); + if (retval) + goto errout; + memcpy(super_shadow, fs->super, sizeof(struct ext2_super_block)); +- memcpy(group_shadow, fs->group_desc, (size_t) fs->blocksize * +- fs->desc_blocks); +- + ext2fs_swap_super(super_shadow); +- for (j = 0; j < fs->group_desc_count; j++) { +- gdp = ext2fs_group_desc(fs, group_shadow, j); +- ext2fs_swap_group_desc2(fs, gdp); ++ ++ if (((fs->flags & EXT2_FLAG_SUPER_ONLY) == 0) && ++ !ext2fs_has_feature_journal_dev(fs->super)) { ++ retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize, ++ &group_shadow); ++ if (retval) ++ goto errout; ++ memcpy(group_shadow, fs->group_desc, (size_t) fs->blocksize * ++ fs->desc_blocks); ++ ++ for (j = 0; j < fs->group_desc_count; j++) { ++ gdp = ext2fs_group_desc(fs, group_shadow, j); ++ ext2fs_swap_group_desc2(fs, gdp); ++ } + } + #else + super_shadow = fs->super; +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-crash-in-ext2fs_image_super_write-on-B.patch b/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-crash-in-ext2fs_image_super_write-on-B.patch new file mode 100644 index 0000000..c4f4dab --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-crash-in-ext2fs_image_super_write-on-B.patch @@ -0,0 +1,69 @@ +From 20a8dbefbc0510430aa7744692221b843b657f62 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 14 Jan 2020 10:58:10 -0500 +Subject: [PATCH 02/46] libext2fs: fix crash in ext2fs_image_super_write() on + Big Endian systems +Content-Type: text/plain + +This is a similar fix as c9a8c53b17cc ("libext2fs: fix crash in +ext2fs_open2() on Big Endian systems"). + +Commit e6069a05: ("Teach ext2fs_open2() to honor the +EXT2_FLAG_SUPER_ONLY flag") changed how the function +ext2fs_group_desc() handled a request for a gdp pointer for a group +larger than the number of groups in the file system; it now returns +NULL, instead of returning a pointer beyond the end of the array. + +Previously, the ext2fs_imager_super_write() function would swap all of +the block group descriptors in a block, even if they are beyond the +end of the file system. This was OK, since we were not overrunning +the allocated memory, since it was rounded to a block boundary. But +now that ext2fs_group_desc() would return NULL for those gdp, it would +cause ext2fs_open2(), when it was byte swapping the block group +descriptors on Big Endian systems, to dereference a null pointer and +crash. + +This commit adds a NULL pointer check to avoid byte swapping those +block group descriptors in a bg descriptor block, but which are beyond +the end of the file system, to address this crash. + +Signed-off-by: Theodore Ts'o +Reported-by: Anatoly Pugachev +Signed-off-by: Lukas Czerner +--- + lib/ext2fs/imager.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/lib/ext2fs/imager.c b/lib/ext2fs/imager.c +index b3ede9a8..f8d67d86 100644 +--- a/lib/ext2fs/imager.c ++++ b/lib/ext2fs/imager.c +@@ -249,10 +249,10 @@ errcode_t ext2fs_image_super_write(ext2_filsys fs, int fd, + * if needed + */ + groups_per_block = EXT2_DESC_PER_BLOCK(fs->super); +- gdp = (struct ext2_group_desc *) cp; + for (j=0; j < groups_per_block*fs->desc_blocks; j++) { + gdp = ext2fs_group_desc(fs, fs->group_desc, j); +- ext2fs_swap_group_desc2(fs, gdp); ++ if (gdp) ++ ext2fs_swap_group_desc2(fs, gdp); + } + #endif + +@@ -261,10 +261,10 @@ errcode_t ext2fs_image_super_write(ext2_filsys fs, int fd, + + #ifdef WORDS_BIGENDIAN + groups_per_block = EXT2_DESC_PER_BLOCK(fs->super); +- gdp = (struct ext2_group_desc *) cp; + for (j=0; j < groups_per_block*fs->desc_blocks; j++) { + gdp = ext2fs_group_desc(fs, fs->group_desc, j); +- ext2fs_swap_group_desc2(fs, gdp); ++ if (gdp) ++ ext2fs_swap_group_desc2(fs, gdp); + } + #endif + +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-crash-in-ext2fs_open2-on-Big-Endian-sy.patch b/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-crash-in-ext2fs_open2-on-Big-Endian-sy.patch new file mode 100644 index 0000000..2f1d2cc --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-crash-in-ext2fs_open2-on-Big-Endian-sy.patch @@ -0,0 +1,59 @@ +From db2efc9e0a8cdb70afc8dd7c9621da9376da7afb Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 26 Dec 2019 23:19:54 -0500 +Subject: [PATCH 01/46] libext2fs: fix crash in ext2fs_open2() on Big Endian + systems +Content-Type: text/plain + +Commit e6069a05: ("Teach ext2fs_open2() to honor the +EXT2_FLAG_SUPER_ONLY flag") changed how the function +ext2fs_group_desc() handled a request for a gdp pointer for a group +larger than the number of groups in the file system; it now returns +NULL, instead of returning a pointer beyond the end of the array. + +Previously, the ext2fs_open2() function would swap all of the block +group descriptors in a block, even if they are beyond the end of the +file system. This was OK, since we were not overrunning the allocated +memory, since it was rounded to a block boundary. But now that +ext2fs_group_desc() would return NULL for those gdp, it would cause +ext2fs_open2(), when it was byte swapping the block group descriptors +on Big Endian systems, to dereference a null pointer and crash. + +This commit adds a NULL pointer check to avoid byte swapping those +block group descriptors in a bg descriptor block, but which are beyond +the end of the file system, to address this crash. + +Signed-off-by: Theodore Ts'o +Reported-by: Anatoly Pugachev +Signed-off-by: Lukas Czerner +--- + lib/ext2fs/openfs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c +index 51b54a44..e457ce1a 100644 +--- a/lib/ext2fs/openfs.c ++++ b/lib/ext2fs/openfs.c +@@ -433,7 +433,8 @@ errcode_t ext2fs_open2(const char *name, const char *io_options, + gdp = (struct ext2_group_desc *) dest; + for (j=0; j < groups_per_block*first_meta_bg; j++) { + gdp = ext2fs_group_desc(fs, fs->group_desc, j); +- ext2fs_swap_group_desc2(fs, gdp); ++ if (gdp) ++ ext2fs_swap_group_desc2(fs, gdp); + } + #endif + dest += fs->blocksize*first_meta_bg; +@@ -453,7 +454,8 @@ errcode_t ext2fs_open2(const char *name, const char *io_options, + for (j=0; j < groups_per_block; j++) { + gdp = ext2fs_group_desc(fs, fs->group_desc, + i * groups_per_block + j); +- ext2fs_swap_group_desc2(fs, gdp); ++ if (gdp) ++ ext2fs_swap_group_desc2(fs, gdp); + } + #endif + dest += fs->blocksize; +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-crash-when-ext2fs_mmp_stop-is-called-b.patch b/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-crash-when-ext2fs_mmp_stop-is-called-b.patch new file mode 100644 index 0000000..350d3ef --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-crash-when-ext2fs_mmp_stop-is-called-b.patch @@ -0,0 +1,36 @@ +From df34e45c71cff889927a412c6296d02866cdc5cc Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sun, 14 Feb 2021 23:51:45 -0500 +Subject: [PATCH 20/46] libext2fs: fix crash when ext2fs_mmp_stop() is called + before MMP is initialized +Content-Type: text/plain + +The fatal_error() function in e2fsck can call ext2fs_mmp_stop() on a +file system where MMP hasn't yet been initialized. When that happens, +instead of crashing, have ext2fs_mmp_stop() return success, since mmp +doesn't need to be stopped if it hasn't even been initialized yet. + +Addresses-Debian-Bug: #696609 +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + lib/ext2fs/mmp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/ext2fs/mmp.c b/lib/ext2fs/mmp.c +index 973b9ecd..eddc66a7 100644 +--- a/lib/ext2fs/mmp.c ++++ b/lib/ext2fs/mmp.c +@@ -401,7 +401,8 @@ errcode_t ext2fs_mmp_stop(ext2_filsys fs) + errcode_t retval = 0; + + if (!ext2fs_has_feature_mmp(fs->super) || +- !(fs->flags & EXT2_FLAG_RW) || (fs->flags & EXT2_FLAG_SKIP_MMP)) ++ !(fs->flags & EXT2_FLAG_RW) || (fs->flags & EXT2_FLAG_SKIP_MMP) || ++ (fs->mmp_buf == NULL) || (fs->mmp_cmp == NULL)) + goto mmp_error; + + retval = ext2fs_mmp_read(fs, fs->super->s_mmp_block, fs->mmp_buf); +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-incorrect-negative-error-return-in-uni.patch b/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-incorrect-negative-error-return-in-uni.patch new file mode 100644 index 0000000..02d8e3c --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-incorrect-negative-error-return-in-uni.patch @@ -0,0 +1,52 @@ +From c951a12b1594158bb87fbc4d8a89b326c34e711f Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 21 Jan 2021 16:00:01 -0500 +Subject: [PATCH 15/46] libext2fs: fix incorrect negative error return in unix + and sparse io managers +Content-Type: text/plain + +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + lib/ext2fs/sparse_io.c | 4 ++-- + lib/ext2fs/unix_io.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/ext2fs/sparse_io.c b/lib/ext2fs/sparse_io.c +index 5e0e2cd9..f287e76d 100644 +--- a/lib/ext2fs/sparse_io.c ++++ b/lib/ext2fs/sparse_io.c +@@ -138,7 +138,7 @@ static errcode_t io_manager_configure(struct sparse_io_params *params, + retval = io_manager_import_sparse(params, sm, io); + if (retval) { + if (!params->block_size || !params->blocks_count) { +- retval = -EINVAL; ++ retval = EINVAL; + goto err_params; + } + sm->block_size = params->block_size; +@@ -229,7 +229,7 @@ static errcode_t read_sparse_argv(const char *name, bool is_fd, + + if (ret < 1) { + free(sparse_params->file); +- return -EINVAL; ++ return EINVAL; + } + return 0; + } +diff --git a/lib/ext2fs/unix_io.c b/lib/ext2fs/unix_io.c +index 628e60c3..2bcd435c 100644 +--- a/lib/ext2fs/unix_io.c ++++ b/lib/ext2fs/unix_io.c +@@ -733,7 +733,7 @@ static errcode_t unixfd_open(const char *str_fd, int flags, + #if defined(HAVE_FCNTL) + fd_flags = fcntl(fd, F_GETFD); + if (fd_flags == -1) +- return -EBADF; ++ return EBADF; + + flags = 0; + if (fd_flags & O_RDWR) +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-potential-buffer-overrun-in-__get_dire.patch b/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-potential-buffer-overrun-in-__get_dire.patch new file mode 100644 index 0000000..c193075 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-potential-buffer-overrun-in-__get_dire.patch @@ -0,0 +1,40 @@ +From b7466a55e89aa6d6a649734f2b1b24a03390bcef Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 26 Aug 2020 16:29:29 -0400 +Subject: [PATCH 08/46] libext2fs: fix potential buffer overrun in + __get_dirent_tail() +Content-Type: text/plain + +If the file system is corrupted, there is a potential of a read-only +buffer overrun. Fortunately, we don't actually use the result of that +pointer dereference, and the overrun is at most 64k. + +Google-Bug-Id: #158564737 +Fixes: eb88b751745b ("libext2fs: make ext2fs_dirent_has_tail() more strict") +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + lib/ext2fs/csum.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/ext2fs/csum.c b/lib/ext2fs/csum.c +index a7172580..2151003b 100644 +--- a/lib/ext2fs/csum.c ++++ b/lib/ext2fs/csum.c +@@ -266,12 +266,11 @@ static errcode_t __get_dirent_tail(ext2_filsys fs, + d = dirent; + top = EXT2_DIRENT_TAIL(dirent, fs->blocksize); + +- rec_len = translate(d->rec_len); + while ((void *) d < top) { ++ rec_len = translate(d->rec_len); + if ((rec_len < 8) || (rec_len & 0x03)) + return EXT2_ET_DIR_CORRUPTED; + d = (struct ext2_dir_entry *)(((char *)d) + rec_len); +- rec_len = translate(d->rec_len); + } + + if ((void *)d > ((void *)dirent + fs->blocksize)) +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-segault-when-setting-an-xattr-with-an-.patch b/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-segault-when-setting-an-xattr-with-an-.patch new file mode 100644 index 0000000..1369133 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-segault-when-setting-an-xattr-with-an-.patch @@ -0,0 +1,212 @@ +From 9beb50cd2c05f69f1231eb1f4579d6770ef48359 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sun, 7 Feb 2021 23:21:58 -0500 +Subject: [PATCH 18/46] libext2fs: fix segault when setting an xattr with an + unknown prefix +Content-Type: text/plain + +Also avoid unnecessary calls to find_ea_index() by caching the short +name and name index in the ext2_attr structure. + +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + lib/ext2fs/ext_attr.c | 64 +++++++++++++++++++++---------------------- + 1 file changed, 32 insertions(+), 32 deletions(-) + +diff --git a/lib/ext2fs/ext_attr.c b/lib/ext2fs/ext_attr.c +index 871319a5..8a7a17cf 100644 +--- a/lib/ext2fs/ext_attr.c ++++ b/lib/ext2fs/ext_attr.c +@@ -293,7 +293,9 @@ errcode_t ext2fs_adjust_ea_refcount(ext2_filsys fs, blk_t blk, + + /* Manipulate the contents of extended attribute regions */ + struct ext2_xattr { ++ int name_index; + char *name; ++ char *short_name; + void *value; + unsigned int value_len; + ext2_ino_t ea_ino; +@@ -643,29 +645,23 @@ write_xattrs_to_buffer(ext2_filsys fs, struct ext2_xattr *attrs, int count, + struct ext2_xattr *x; + struct ext2_ext_attr_entry *e = entries_start; + char *end = (char *) entries_start + storage_size; +- const char *shortname; + unsigned int value_size; +- int idx, ret; + errcode_t err; + + memset(entries_start, 0, storage_size); + for (x = attrs; x < attrs + count; x++) { +- /* Calculate index and shortname position */ +- shortname = x->name; +- ret = find_ea_index(x->name, &shortname, &idx); +- + value_size = ((x->value_len + EXT2_EXT_ATTR_PAD - 1) / + EXT2_EXT_ATTR_PAD) * EXT2_EXT_ATTR_PAD; + + /* Fill out e appropriately */ +- e->e_name_len = strlen(shortname); +- e->e_name_index = (ret ? idx : 0); ++ e->e_name_len = strlen(x->short_name); ++ e->e_name_index = x->name_index; + + e->e_value_size = x->value_len; + e->e_value_inum = x->ea_ino; + + /* Store name */ +- memcpy((char *)e + sizeof(*e), shortname, e->e_name_len); ++ memcpy((char *)e + sizeof(*e), x->short_name, e->e_name_len); + if (x->ea_ino) { + e->e_value_offs = 0; + } else { +@@ -875,6 +871,8 @@ static errcode_t read_xattrs_from_buffer(struct ext2_xattr_handle *handle, + memcpy(x->name + prefix_len, + (char *)entry + sizeof(*entry), + entry->e_name_len); ++ x->short_name = x->name + prefix_len; ++ x->name_index = entry->e_name_index; + + /* Check & copy value */ + if (!ext2fs_has_feature_ea_inode(handle->fs->super) && +@@ -1302,7 +1300,8 @@ out: + } + + static errcode_t xattr_update_entry(ext2_filsys fs, struct ext2_xattr *x, +- const char *name, const void *value, ++ const char *name, const char *short_name, ++ int index, const void *value, + size_t value_len, int in_inode) + { + ext2_ino_t ea_ino = 0; +@@ -1336,8 +1335,11 @@ static errcode_t xattr_update_entry(ext2_filsys fs, struct ext2_xattr *x, + goto fail; + } + +- if (!x->name) ++ if (!x->name) { + x->name = new_name; ++ x->short_name = new_name + (short_name - name); ++ } ++ x->name_index = index; + + if (x->value) + ext2fs_free_mem(&x->value); +@@ -1356,31 +1358,27 @@ fail: + } + + static int xattr_find_position(struct ext2_xattr *attrs, int count, +- const char *name) ++ const char *shortname, int name_idx) + { + struct ext2_xattr *x; + int i; +- const char *shortname, *x_shortname; +- int name_idx, x_name_idx; + int shortname_len, x_shortname_len; + +- find_ea_index(name, &shortname, &name_idx); + shortname_len = strlen(shortname); + + for (i = 0, x = attrs; i < count; i++, x++) { +- find_ea_index(x->name, &x_shortname, &x_name_idx); +- if (name_idx < x_name_idx) ++ if (name_idx < x->name_index) + break; +- if (name_idx > x_name_idx) ++ if (name_idx > x->name_index) + continue; + +- x_shortname_len = strlen(x_shortname); ++ x_shortname_len = strlen(x->short_name); + if (shortname_len < x_shortname_len) + break; + if (shortname_len > x_shortname_len) + continue; + +- if (memcmp(shortname, x_shortname, shortname_len) <= 0) ++ if (memcmp(shortname, x->short_name, shortname_len) <= 0) + break; + } + return i; +@@ -1395,8 +1393,8 @@ static errcode_t xattr_array_update(struct ext2_xattr_handle *h, + struct ext2_xattr tmp; + int add_to_ibody; + int needed; +- int name_len, name_idx; +- const char *shortname; ++ int name_len, name_idx = 0; ++ const char *shortname = name; + int new_idx; + int ret; + +@@ -1423,7 +1421,8 @@ static errcode_t xattr_array_update(struct ext2_xattr_handle *h, + + /* Update the existing entry. */ + ret = xattr_update_entry(h->fs, &h->attrs[old_idx], name, +- value, value_len, in_inode); ++ shortname, name_idx, value, ++ value_len, in_inode); + if (ret) + return ret; + if (h->ibody_count <= old_idx) { +@@ -1451,7 +1450,8 @@ static errcode_t xattr_array_update(struct ext2_xattr_handle *h, + if (old_idx >= 0) { + /* Update the existing entry. */ + ret = xattr_update_entry(h->fs, &h->attrs[old_idx], name, +- value, value_len, in_inode); ++ shortname, name_idx, value, ++ value_len, in_inode); + if (ret) + return ret; + if (old_idx < h->ibody_count) { +@@ -1460,7 +1460,8 @@ static errcode_t xattr_array_update(struct ext2_xattr_handle *h, + * entries in the block are sorted. + */ + new_idx = xattr_find_position(h->attrs + h->ibody_count, +- h->count - h->ibody_count, name); ++ h->count - h->ibody_count, ++ shortname, name_idx); + new_idx += h->ibody_count - 1; + tmp = h->attrs[old_idx]; + memmove(h->attrs + old_idx, h->attrs + old_idx + 1, +@@ -1472,7 +1473,8 @@ static errcode_t xattr_array_update(struct ext2_xattr_handle *h, + } + + new_idx = xattr_find_position(h->attrs + h->ibody_count, +- h->count - h->ibody_count, name); ++ h->count - h->ibody_count, ++ shortname, name_idx); + new_idx += h->ibody_count; + add_to_ibody = 0; + +@@ -1483,8 +1485,8 @@ add_new: + return ret; + } + +- ret = xattr_update_entry(h->fs, &h->attrs[h->count], name, value, +- value_len, in_inode); ++ ret = xattr_update_entry(h->fs, &h->attrs[h->count], name, shortname, ++ name_idx, value, value_len, in_inode); + if (ret) + return ret; + +@@ -1502,12 +1504,10 @@ static int space_used(struct ext2_xattr *attrs, int count) + { + int total = 0; + struct ext2_xattr *x; +- const char *shortname; +- int i, len, name_idx; ++ int i, len; + + for (i = 0, x = attrs; i < count; i++, x++) { +- find_ea_index(x->name, &shortname, &name_idx); +- len = strlen(shortname); ++ len = strlen(x->short_name); + total += EXT2_EXT_ATTR_LEN(len); + if (!x->ea_ino) + total += EXT2_EXT_ATTR_SIZE(x->value_len); +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-unexpected-NULL-variable.patch b/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-unexpected-NULL-variable.patch new file mode 100644 index 0000000..8800559 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-libext2fs-fix-unexpected-NULL-variable.patch @@ -0,0 +1,39 @@ +From 92d055879d510a1a51315301ea788445cd11aacb Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Fri, 6 Aug 2021 11:58:16 +0200 +Subject: [PATCH 40/46] libext2fs: fix unexpected NULL variable +Content-Type: text/plain + +The ext2fs_check_mount_point() function can be called with mtpt being +NULL as for example from ext2fs_check_if_mounted(). However in the +is_swap_device condition we use the mtpt in strncpy without checking +whether it is non-null first. + +This should not be a problem on linux since the previous attempt to open +the device exclusively would have prevented us from ever reaching the +problematic strncpy. However it's still a bug and can cause problems on +other systems, fix it by conditioning strncpy on mtpt not being null. + +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +--- + lib/ext2fs/ismounted.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/ext2fs/ismounted.c b/lib/ext2fs/ismounted.c +index 46d330d9..c28475d4 100644 +--- a/lib/ext2fs/ismounted.c ++++ b/lib/ext2fs/ismounted.c +@@ -393,7 +393,8 @@ errcode_t ext2fs_check_mount_point(const char *device, int *mount_flags, + + if (is_swap_device(device)) { + *mount_flags = EXT2_MF_MOUNTED | EXT2_MF_SWAP; +- strncpy(mtpt, "", mtlen); ++ if (mtpt) ++ strncpy(mtpt, "", mtlen); + } else { + #ifdef HAVE_SETMNTENT + retval = check_mntent(device, mount_flags, mtpt, mtlen); +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-libext2fs-remove-augmented-rbtree-functionality.patch b/SOURCES/e2fsprogs-1.45.6-libext2fs-remove-augmented-rbtree-functionality.patch new file mode 100644 index 0000000..4f1670c --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-libext2fs-remove-augmented-rbtree-functionality.patch @@ -0,0 +1,118 @@ +From 1a95588e8090a2ac6cab364e5a24be219f50710b Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Fri, 6 Aug 2021 11:58:17 +0200 +Subject: [PATCH 41/46] libext2fs: remove augmented rbtree functionality +Content-Type: text/plain + +Rbtree code was originally taken from linux kernel. This includes the +augmented rbtree functionality, however this was never intended to be +used and is not used still. Just remove it. + +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +--- + lib/ext2fs/rbtree.c | 68 --------------------------------------------- + lib/ext2fs/rbtree.h | 8 ------ + 2 files changed, 76 deletions(-) + +diff --git a/lib/ext2fs/rbtree.c b/lib/ext2fs/rbtree.c +index 5b92099d..74426fa6 100644 +--- a/lib/ext2fs/rbtree.c ++++ b/lib/ext2fs/rbtree.c +@@ -280,74 +280,6 @@ void ext2fs_rb_erase(struct rb_node *node, struct rb_root *root) + __rb_erase_color(child, parent, root); + } + +-static void ext2fs_rb_augment_path(struct rb_node *node, rb_augment_f func, void *data) +-{ +- struct rb_node *parent; +- +-up: +- func(node, data); +- parent = ext2fs_rb_parent(node); +- if (!parent) +- return; +- +- if (node == parent->rb_left && parent->rb_right) +- func(parent->rb_right, data); +- else if (parent->rb_left) +- func(parent->rb_left, data); +- +- node = parent; +- goto up; +-} +- +-/* +- * after inserting @node into the tree, update the tree to account for +- * both the new entry and any damage done by rebalance +- */ +-void ext2fs_rb_augment_insert(struct rb_node *node, rb_augment_f func, void *data) +-{ +- if (node->rb_left) +- node = node->rb_left; +- else if (node->rb_right) +- node = node->rb_right; +- +- ext2fs_rb_augment_path(node, func, data); +-} +- +-/* +- * before removing the node, find the deepest node on the rebalance path +- * that will still be there after @node gets removed +- */ +-struct rb_node *ext2fs_rb_augment_erase_begin(struct rb_node *node) +-{ +- struct rb_node *deepest; +- +- if (!node->rb_right && !node->rb_left) +- deepest = ext2fs_rb_parent(node); +- else if (!node->rb_right) +- deepest = node->rb_left; +- else if (!node->rb_left) +- deepest = node->rb_right; +- else { +- deepest = ext2fs_rb_next(node); +- if (deepest->rb_right) +- deepest = deepest->rb_right; +- else if (ext2fs_rb_parent(deepest) != node) +- deepest = ext2fs_rb_parent(deepest); +- } +- +- return deepest; +-} +- +-/* +- * after removal, update the tree to account for the removed entry +- * and any rebalance damage. +- */ +-void ext2fs_rb_augment_erase_end(struct rb_node *node, rb_augment_f func, void *data) +-{ +- if (node) +- ext2fs_rb_augment_path(node, func, data); +-} +- + /* + * This function returns the first node (in sort order) of the tree. + */ +diff --git a/lib/ext2fs/rbtree.h b/lib/ext2fs/rbtree.h +index 9e806779..a4eb35ae 100644 +--- a/lib/ext2fs/rbtree.h ++++ b/lib/ext2fs/rbtree.h +@@ -161,14 +161,6 @@ static inline void ext2fs_rb_clear_node(struct rb_node *node) + extern void ext2fs_rb_insert_color(struct rb_node *, struct rb_root *); + extern void ext2fs_rb_erase(struct rb_node *, struct rb_root *); + +-typedef void (*rb_augment_f)(struct rb_node *node, void *data); +- +-extern void ext2fs_rb_augment_insert(struct rb_node *node, +- rb_augment_f func, void *data); +-extern struct rb_node *ext2fs_rb_augment_erase_begin(struct rb_node *node); +-extern void ext2fs_rb_augment_erase_end(struct rb_node *node, +- rb_augment_f func, void *data); +- + /* Find logical next and previous nodes in a tree */ + extern struct rb_node *ext2fs_rb_next(struct rb_node *); + extern struct rb_node *ext2fs_rb_prev(struct rb_node *); +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-libext2fs-teach-ext2fs_flush-to-check-if-group-descr.patch b/SOURCES/e2fsprogs-1.45.6-libext2fs-teach-ext2fs_flush-to-check-if-group-descr.patch new file mode 100644 index 0000000..1b2961f --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-libext2fs-teach-ext2fs_flush-to-check-if-group-descr.patch @@ -0,0 +1,35 @@ +From 4b74f91ad7480d71853ae1170d065917afc426a2 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 16 Jan 2020 18:56:49 -0500 +Subject: [PATCH 03/46] libext2fs: teach ext2fs_flush() to check if group + descriptors are loaded +Content-Type: text/plain + +If the EXT2_FLAG_SUPER_ONLY is not set, and the group descriptors are +not loaded, ext2fs_flush[2]() will return EXT2_ET_NO_GDESC. + +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + lib/ext2fs/closefs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c +index 1d4d5b7f..6814cdc3 100644 +--- a/lib/ext2fs/closefs.c ++++ b/lib/ext2fs/closefs.c +@@ -293,6 +293,11 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags) + + EXT2_CHECK_MAGIC(fs, EXT2_ET_MAGIC_EXT2FS_FILSYS); + ++ if ((fs->flags & EXT2_FLAG_SUPER_ONLY) == 0 && ++ !ext2fs_has_feature_journal_dev(fs->super) && ++ fs->group_desc == NULL) ++ return EXT2_ET_NO_GDESC; ++ + fs_state = fs->super->s_state; + feature_incompat = fs->super->s_feature_incompat; + +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-libss-Add-missing-error-handling-for-fdopen.patch b/SOURCES/e2fsprogs-1.45.6-libss-Add-missing-error-handling-for-fdopen.patch new file mode 100644 index 0000000..e19ea78 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-libss-Add-missing-error-handling-for-fdopen.patch @@ -0,0 +1,42 @@ +From 91a846631015734d322d11e3b8ff82d650ab7a8e Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Fri, 6 Aug 2021 11:58:19 +0200 +Subject: [PATCH 43/46] libss: Add missing error handling for fdopen() +Content-Type: text/plain + +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +--- + lib/ss/list_rqs.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/ss/list_rqs.c b/lib/ss/list_rqs.c +index 021a3835..89e37bb2 100644 +--- a/lib/ss/list_rqs.c ++++ b/lib/ss/list_rqs.c +@@ -12,6 +12,9 @@ + */ + #include "config.h" + #include "ss_internal.h" ++#ifdef HAVE_UNISTD_H ++#include ++#endif + #include + #include + #include +@@ -46,6 +49,12 @@ void ss_list_requests(int argc __SS_ATTR((unused)), + return; + } + output = fdopen(fd, "w"); ++ if (!output) { ++ perror("fdopen"); ++ close(fd); ++ (void) signal(SIGINT, func); ++ return; ++ } + sigprocmask(SIG_SETMASK, &omask, (sigset_t *) 0); + + fprintf (output, "Available %s requests:\n\n", +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-libss-fix-possible-NULL-pointer-dereferece-on-alloca.patch b/SOURCES/e2fsprogs-1.45.6-libss-fix-possible-NULL-pointer-dereferece-on-alloca.patch new file mode 100644 index 0000000..db5ad3d --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-libss-fix-possible-NULL-pointer-dereferece-on-alloca.patch @@ -0,0 +1,36 @@ +From 422643f4758b0a0345d84b2d19312269472e2a00 Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Thu, 17 Feb 2022 10:24:59 +0100 +Subject: [PATCH 2/2] libss: fix possible NULL pointer dereferece on allocation + failure +Content-Type: text/plain + +Currently in ss_execute_command() we're missng a check to see if the +memory allocation was succesful. Fix it by checking the return from +malloc and returning ENOMEM if it had failed. + +[ Removed addition of the SS_ET_ENOMEM entry to the the libss error + table. -TYT ] + +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +--- + lib/ss/execute_cmd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/ss/execute_cmd.c b/lib/ss/execute_cmd.c +index d443a468..2e2c8cfa 100644 +--- a/lib/ss/execute_cmd.c ++++ b/lib/ss/execute_cmd.c +@@ -171,6 +171,8 @@ int ss_execute_command(int sci_idx, register char *argv[]) + for (argp = argv; *argp; argp++) + argc++; + argp = (char **)malloc((argc+1)*sizeof(char *)); ++ if (!argp) ++ return(ENOMEM); + for (i = 0; i <= argc; i++) + argp[i] = argv[i]; + i = really_execute_command(sci_idx, argc, &argp); +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-libss-handle-memory-allcation-failure-in-ss_help.patch b/SOURCES/e2fsprogs-1.45.6-libss-handle-memory-allcation-failure-in-ss_help.patch new file mode 100644 index 0000000..8199e89 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-libss-handle-memory-allcation-failure-in-ss_help.patch @@ -0,0 +1,33 @@ +From 22c751c1ab47277e90f63ac774288f67d2e42c51 Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Fri, 6 Aug 2021 11:58:18 +0200 +Subject: [PATCH 42/46] libss: handle memory allcation failure in ss_help() +Content-Type: text/plain + +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +--- + lib/ss/help.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/ss/help.c b/lib/ss/help.c +index 96eb1092..a22b4017 100644 +--- a/lib/ss/help.c ++++ b/lib/ss/help.c +@@ -96,7 +96,12 @@ void ss_help(int argc, char const * const *argv, int sci_idx, pointer info_ptr) + } + if (fd < 0) { + #define MSG "No info found for " +- char *buf = malloc(strlen (MSG) + strlen (argv[1]) + 1); ++ char *buf = malloc(strlen (MSG) + strlen (argv[1]) + 1); ++ if (!buf) { ++ ss_perror(sci_idx, 0, ++ "couldn't allocate memory to print error message"); ++ return; ++ } + strcpy(buf, MSG); + strcat(buf, argv[1]); + ss_perror(sci_idx, 0, buf); +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-libsupport-fix-potental-NULL-pointer-dereferences-in.patch b/SOURCES/e2fsprogs-1.45.6-libsupport-fix-potental-NULL-pointer-dereferences-in.patch new file mode 100644 index 0000000..216d288 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-libsupport-fix-potental-NULL-pointer-dereferences-in.patch @@ -0,0 +1,66 @@ +From c976fd2e72678a171693d2b6333c2c499ef4d588 Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Fri, 6 Aug 2021 11:58:20 +0200 +Subject: [PATCH 44/46] libsupport: fix potental NULL pointer dereferences in + quota functions +Content-Type: text/plain + +get_dq() function can fail when the memory allocation fails and so we +could end up dereferencing NULL pointer. Fix it. + +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +--- + lib/support/mkquota.c | 8 ++++++-- + lib/support/quotaio_tree.c | 2 +- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/lib/support/mkquota.c b/lib/support/mkquota.c +index ef50c9ab..280b1046 100644 +--- a/lib/support/mkquota.c ++++ b/lib/support/mkquota.c +@@ -432,7 +432,8 @@ void quota_data_sub(quota_ctx_t qctx, struct ext2_inode_large *inode, + dict = qctx->quota_dict[qtype]; + if (dict) { + dq = get_dq(dict, get_qid(inode, qtype)); +- dq->dq_dqb.dqb_curspace -= space; ++ if (dq) ++ dq->dq_dqb.dqb_curspace -= space; + } + } + } +@@ -459,7 +460,8 @@ void quota_data_inodes(quota_ctx_t qctx, struct ext2_inode_large *inode, + dict = qctx->quota_dict[qtype]; + if (dict) { + dq = get_dq(dict, get_qid(inode, qtype)); +- dq->dq_dqb.dqb_curinodes += adjust; ++ if (dq) ++ dq->dq_dqb.dqb_curinodes += adjust; + } + } + } +@@ -532,6 +534,8 @@ static int scan_dquots_callback(struct dquot *dquot, void *cb_data) + struct dquot *dq; + + dq = get_dq(quota_dict, dquot->dq_id); ++ if (!dq) ++ return -1; + dq->dq_id = dquot->dq_id; + dq->dq_flags |= DQF_SEEN; + +diff --git a/lib/support/quotaio_tree.c b/lib/support/quotaio_tree.c +index 6cc4fb5b..5910e637 100644 +--- a/lib/support/quotaio_tree.c ++++ b/lib/support/quotaio_tree.c +@@ -601,7 +601,7 @@ static int report_tree(struct dquot *dquot, unsigned int blk, int depth, + __le32 *ref = (__le32 *) buf; + + if (!buf) +- return 0; ++ return -1; + + read_blk(dquot->dq_h, blk, buf); + if (depth == QT_TREEDEPTH - 1) { +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-lsattr-check-whether-path-is-NULL-in-lsattr_dir_proc.patch b/SOURCES/e2fsprogs-1.45.6-lsattr-check-whether-path-is-NULL-in-lsattr_dir_proc.patch new file mode 100644 index 0000000..fd58064 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-lsattr-check-whether-path-is-NULL-in-lsattr_dir_proc.patch @@ -0,0 +1,36 @@ +From 18850fa92c398f4a60827dd5da020f9af0822424 Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Wed, 28 Jul 2021 09:56:48 +0800 +Subject: [PATCH 37/46] lsattr: check whether path is NULL in lsattr_dir_proc() +Content-Type: text/plain + +In lsattr_dir_proc(), if malloc() return NULL, it will cause +a segmentation fault problem. + +Signed-off-by: Zhiqiang Liu +Signed-off-by: Wu Guanghao +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + misc/lsattr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/misc/lsattr.c b/misc/lsattr.c +index 0d954376..55080e92 100644 +--- a/misc/lsattr.c ++++ b/misc/lsattr.c +@@ -144,6 +144,11 @@ static int lsattr_dir_proc (const char * dir_name, struct dirent * de, + int dir_len = strlen(dir_name); + + path = malloc(dir_len + strlen (de->d_name) + 2); ++ if (!path) { ++ fputs(_("Couldn't allocate path variable in lsattr_dir_proc\n"), ++ stderr); ++ return -1; ++ } + + if (dir_len && dir_name[dir_len-1] == '/') + sprintf (path, "%s%s", dir_name, de->d_name); +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-misc-fix-potential-segmentation-fault-problem-in-sca.patch b/SOURCES/e2fsprogs-1.45.6-misc-fix-potential-segmentation-fault-problem-in-sca.patch new file mode 100644 index 0000000..854d287 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-misc-fix-potential-segmentation-fault-problem-in-sca.patch @@ -0,0 +1,35 @@ +From 4a92545b8711df405dc804236d66386780696ce1 Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Wed, 30 Jun 2021 16:27:20 +0800 +Subject: [PATCH 31/46] misc: fix potential segmentation fault problem in + scandir() +Content-Type: text/plain + +In scandir(), temp_list[num_dent] is allocated by calling +malloc(), we should check whether malloc() returns NULL before +accessing temp_list[num_dent]. + +Signed-off-by: Zhiqiang Liu +Signed-off-by: Wu Guanghao +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + misc/create_inode.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/misc/create_inode.c b/misc/create_inode.c +index 6f8487b9..38f37beb 100644 +--- a/misc/create_inode.c ++++ b/misc/create_inode.c +@@ -752,6 +752,8 @@ static int scandir(const char *dir_name, struct dirent ***name_list, + } + // add the copy of dirent to the list + temp_list[num_dent] = (struct dirent*)malloc((dent->d_reclen + 3) & ~3); ++ if (!temp_list[num_dent]) ++ goto out; + memcpy(temp_list[num_dent], dent, dent->d_reclen); + num_dent++; + } +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-mke2fs-fix-up-check-for-hardlinks-always-false-if-in.patch b/SOURCES/e2fsprogs-1.45.6-mke2fs-fix-up-check-for-hardlinks-always-false-if-in.patch new file mode 100644 index 0000000..d0e12b6 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-mke2fs-fix-up-check-for-hardlinks-always-false-if-in.patch @@ -0,0 +1,84 @@ +From d74f2e031418fb877c97c86a9c6b58eb30a4592c Mon Sep 17 00:00:00 2001 +From: Hongxu Jia +Date: Tue, 21 Jul 2020 18:25:03 -0700 +Subject: [PATCH 10/46] mke2fs: fix up check for hardlinks always false if + inode > 0xFFFFFFFF +Content-Type: text/plain + +While file has a large inode number (> 0xFFFFFFFF), mkfs.ext4 could +not parse hardlink correctly. + +Prepare three hardlink files for mkfs.ext4 + +$ ls -il rootfs_ota/a rootfs_ota/boot/b rootfs_ota/boot/c +11026675846 -rw-r--r-- 3 hjia users 0 Jul 20 17:44 rootfs_ota/a +11026675846 -rw-r--r-- 3 hjia users 0 Jul 20 17:44 rootfs_ota/boot/b +11026675846 -rw-r--r-- 3 hjia users 0 Jul 20 17:44 rootfs_ota/boot/c + +$ truncate -s 1M rootfs_ota.ext4 + +$ mkfs.ext4 -F -i 8192 rootfs_ota.ext4 -L otaroot -U fd5f8768-c779-4dc9-adde-165a3d863349 -d rootfs_ota + +$ mkdir mnt && sudo mount rootfs_ota.ext4 mnt + +$ ls -il mnt/a mnt/boot/b mnt/boot/c +12 -rw-r--r-- 1 hjia users 0 Jul 20 17:44 mnt/a +14 -rw-r--r-- 1 hjia users 0 Jul 20 17:44 mnt/boot/b +15 -rw-r--r-- 1 hjia users 0 Jul 20 17:44 mnt/boot/c + +After applying this fix +$ ls -il mnt/a mnt/boot/b mnt/boot/c +12 -rw-r--r-- 3 hjia users 0 Jul 20 17:44 mnt/a +12 -rw-r--r-- 3 hjia users 0 Jul 20 17:44 mnt/boot/b +12 -rw-r--r-- 3 hjia users 0 Jul 20 17:44 mnt/boot/c + +Since commit [382ed4a1 e2fsck: use proper types for variables][1] +applied, it used ext2_ino_t instead of ino_t for referencing inode +numbers, but the type of is_hardlink's `ino' should not be instead, +The ext2_ino_t is 32bit, if inode > 0xFFFFFFFF, its value will be +truncated. + +Add a debug printf to show the value of inode, when it check for hardlink +files, it will always return false if inode > 0xFFFFFFFF +|--- a/misc/create_inode.c +|+++ b/misc/create_inode.c +|@@ -605,6 +605,7 @@ static int is_hardlink(struct hdlinks_s *hdlinks, dev_t dev, ext2_ino_t ino) +| { +| int i; +| +|+ printf("%s %d, %lX, %lX\n", __FUNCTION__, __LINE__, hdlinks->hdl[i].src_ino, ino); +| for (i = 0; i < hdlinks->count; i++) { +| if (hdlinks->hdl[i].src_dev == dev && +| hdlinks->hdl[i].src_ino == ino) + +Here is debug message: +is_hardlink 608, 2913DB886, 913DB886 + +The length of ext2_ino_t is 32bit (typedef __u32 __bitwise ext2_ino_t;), +and ino_t is 64bit on 64bit system (such as x86-64), recover `ino' to ino_t. + +[1] https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=382ed4a1c2b60acb9db7631e86dda207bde6076e + +Signed-off-by: Hongxu Jia +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + misc/create_inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/misc/create_inode.c b/misc/create_inode.c +index e8d1df6b..837f3875 100644 +--- a/misc/create_inode.c ++++ b/misc/create_inode.c +@@ -601,7 +601,7 @@ out: + return err; + } + +-static int is_hardlink(struct hdlinks_s *hdlinks, dev_t dev, ext2_ino_t ino) ++static int is_hardlink(struct hdlinks_s *hdlinks, dev_t dev, ino_t ino) + { + int i; + +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-mke2fs-only-try-discarding-a-single-block-to-test-if.patch b/SOURCES/e2fsprogs-1.45.6-mke2fs-only-try-discarding-a-single-block-to-test-if.patch new file mode 100644 index 0000000..414a180 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-mke2fs-only-try-discarding-a-single-block-to-test-if.patch @@ -0,0 +1,57 @@ +From 2831f4202dd1bec289a9a3459d553fcffda0f280 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sun, 18 Jul 2021 09:15:28 -0400 +Subject: [PATCH 34/46] mke2fs: only try discarding a single block to test if + discard works +Content-Type: text/plain + +Commit d2bfdc7ff15c ("Use punch hole as "discard" on regular files") +added a test to see if the storage device actually supports discard. +The intent was to try discarding the first block but since +io_channel_discard() interprets the offset and count arguments in +blocks, and not bytes, mke2fs was actually discarding the first 16 +megabytes (when the block size is 4k). This is normally not a +problem, since most file systems are larger than that, and requests to +discard beyond the end of the block device are ignored. + +However, when creating a small file system as part of a image +containing multiple partitions, the initial test discard can end up +discarding data beyond the file system being created. + +Addresses-Debian-Bug: #989630 +Reported-by: Josh Triplett +Fixes: d2bfdc7ff15c ("Use punch hole as "discard" on regular files") +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + misc/mke2fs.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/misc/mke2fs.c b/misc/mke2fs.c +index 389d0981..b2bb2847 100644 +--- a/misc/mke2fs.c ++++ b/misc/mke2fs.c +@@ -2768,7 +2768,7 @@ static int mke2fs_discard_device(ext2_filsys fs) + struct ext2fs_numeric_progress_struct progress; + blk64_t blocks = ext2fs_blocks_count(fs->super); + blk64_t count = DISCARD_STEP_MB; +- blk64_t cur; ++ blk64_t cur = 0; + int retval = 0; + + /* +@@ -2776,10 +2776,9 @@ static int mke2fs_discard_device(ext2_filsys fs) + * we do not print numeric progress resulting in failure + * afterwards. + */ +- retval = io_channel_discard(fs->io, 0, fs->blocksize); ++ retval = io_channel_discard(fs->io, 0, 1); + if (retval) + return retval; +- cur = fs->blocksize; + + count *= (1024 * 1024); + count /= fs->blocksize; +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-mmp-do-not-use-O_DIRECT-when-working-with-regular-fi.patch b/SOURCES/e2fsprogs-1.45.6-mmp-do-not-use-O_DIRECT-when-working-with-regular-fi.patch new file mode 100644 index 0000000..5f24e6b --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-mmp-do-not-use-O_DIRECT-when-working-with-regular-fi.patch @@ -0,0 +1,68 @@ +From d80424f5ceaa3a7a8ce7dbf6bacca32f2f05fdeb Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Thu, 18 Feb 2021 10:51:46 +0100 +Subject: [PATCH 23/46] mmp: do not use O_DIRECT when working with regular file +Content-Type: text/plain + +Currently the mmp block is read using O_DIRECT to avoid any caching that +may be done by the VM. However when working with regular files this +creates alignment issues when the device of the host file system has +sector size larger than the blocksize of the file system in the file +we're working with. + +This can be reproduced with t_mmp_fail test when run on the device with +4k sector size because the mke2fs fails when trying to read the mmp +block. + +Fix it by disabling O_DIRECT when working with regular files. I don't +think there is any risk of doing so since the file system layer, unlike +shared block device, should guarantee cache consistency. + +Signed-off-by: Lukas Czerner +Reviewed-by: Eric Sandeen +Reviewed-by: Andreas Dilger +Signed-off-by: Theodore Ts'o +--- + lib/ext2fs/mmp.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/lib/ext2fs/mmp.c b/lib/ext2fs/mmp.c +index eddc66a7..626fe395 100644 +--- a/lib/ext2fs/mmp.c ++++ b/lib/ext2fs/mmp.c +@@ -57,21 +57,21 @@ errcode_t ext2fs_mmp_read(ext2_filsys fs, blk64_t mmp_blk, void *buf) + * regardless of how the io_manager is doing reads, to avoid caching of + * the MMP block by the io_manager or the VM. It needs to be fresh. */ + if (fs->mmp_fd <= 0) { ++ struct stat st; + int flags = O_RDWR | O_DIRECT; + +-retry: ++ /* ++ * There is no reason for using O_DIRECT if we're working with ++ * regular file. Disabling it also avoids problems with ++ * alignment when the device of the host file system has sector ++ * size larger than blocksize of the fs we're working with. ++ */ ++ if (stat(fs->device_name, &st) == 0 && ++ S_ISREG(st.st_mode)) ++ flags &= ~O_DIRECT; ++ + fs->mmp_fd = open(fs->device_name, flags); + if (fs->mmp_fd < 0) { +- struct stat st; +- +- /* Avoid O_DIRECT for filesystem image files if open +- * fails, since it breaks when running on tmpfs. */ +- if (errno == EINVAL && (flags & O_DIRECT) && +- stat(fs->device_name, &st) == 0 && +- S_ISREG(st.st_mode)) { +- flags &= ~O_DIRECT; +- goto retry; +- } + retval = EXT2_ET_MMP_OPEN_DIRECT; + goto out; + } +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-quota-Do-not-account-space-used-by-project-quota-fil.patch b/SOURCES/e2fsprogs-1.45.6-quota-Do-not-account-space-used-by-project-quota-fil.patch new file mode 100644 index 0000000..bb13dd1 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-quota-Do-not-account-space-used-by-project-quota-fil.patch @@ -0,0 +1,39 @@ +From 7c9b477d25a81ef736a832d66793a75860394d6f Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 12 Jul 2021 17:43:08 +0200 +Subject: [PATCH 39/46] quota: Do not account space used by project quota file + to quota +Content-Type: text/plain + +Project quota files have high inode numbers but are not accounted in +quota usage. Do not track them when computing quota usage. + +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + lib/support/mkquota.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/lib/support/mkquota.c b/lib/support/mkquota.c +index 6f7ae6d6..ef50c9ab 100644 +--- a/lib/support/mkquota.c ++++ b/lib/support/mkquota.c +@@ -500,9 +500,11 @@ errcode_t quota_compute_usage(quota_ctx_t qctx) + } + if (ino == 0) + break; +- if (inode->i_links_count && +- (ino == EXT2_ROOT_INO || +- ino >= EXT2_FIRST_INODE(fs->super))) { ++ if (!inode->i_links_count) ++ continue; ++ if (ino == EXT2_ROOT_INO || ++ (ino >= EXT2_FIRST_INODE(fs->super) && ++ ino != quota_type2inum(PRJQUOTA, fs->super))) { + space = ext2fs_get_stat_i_blocks(fs, + EXT2_INODE(inode)) << 9; + quota_data_add(qctx, inode, ino, space); +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-resize2fs-avoid-allocating-over-the-MMP-block.patch b/SOURCES/e2fsprogs-1.45.6-resize2fs-avoid-allocating-over-the-MMP-block.patch new file mode 100644 index 0000000..b571571 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-resize2fs-avoid-allocating-over-the-MMP-block.patch @@ -0,0 +1,41 @@ +From a7a6126b94b9b6b0f88b5a5cc90d069974c89901 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 6 Mar 2021 23:08:12 -0500 +Subject: [PATCH 24/46] resize2fs: avoid allocating over the MMP block +Content-Type: text/plain + +When resizing past the point where the reserve inode has reserved +space for the block group descriptors to expand, and resize2fs (in an +offline resize) needs to move the allocation bitmaps and/or inode +table around, it's possible for resize2fs to allocate over the MMP +block, which would be bad. + +Prevent this from happening by reserving the MMP block as a file +system metadata block (which it is) in resize2fs's accounting. + +Addresses-Debian-Bug: #984472 +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + resize/resize2fs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/resize/resize2fs.c b/resize/resize2fs.c +index 26050fec..e8401e79 100644 +--- a/resize/resize2fs.c ++++ b/resize/resize2fs.c +@@ -1176,6 +1176,11 @@ static errcode_t mark_table_blocks(ext2_filsys fs, + if (blk) + ext2fs_mark_block_bitmap2(bmap, blk); + } ++ /* Reserve the MMP block */ ++ if (ext2fs_has_feature_mmp(fs->super) && ++ fs->super->s_mmp_block > fs->super->s_first_data_block && ++ fs->super->s_mmp_block < ext2fs_blocks_count(fs->super)) ++ ext2fs_mark_block_bitmap2(bmap, fs->super->s_mmp_block); + return 0; + } + +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-resize2fs-prevent-block-group-descriptors-from-overf.patch b/SOURCES/e2fsprogs-1.45.6-resize2fs-prevent-block-group-descriptors-from-overf.patch new file mode 100644 index 0000000..0593576 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-resize2fs-prevent-block-group-descriptors-from-overf.patch @@ -0,0 +1,59 @@ +From 742255d914bf06fa8e8a3f048aae2c738657af52 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 2 Oct 2020 14:47:25 -0400 +Subject: [PATCH 11/46] resize2fs: prevent block group descriptors from + overflowing the first bg +Content-Type: text/plain + +For 1k block file systems, resizing a file system larger than +1073610752 blocks will result in the size of the block group +descriptors to be so large that it will overlap with the backup +superblock in block group #1. This problem can be reproduced via: + + mke2fs -t ext4 /tmp/foo.img 200M + resize2fs /tmp/foo.img 1T + e2fsck -f /tmp/foo.img + +https://github.com/tytso/e2fsprogs/issues/50 + +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + resize/main.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/resize/main.c b/resize/main.c +index a0c31c06..5e771d2a 100644 +--- a/resize/main.c ++++ b/resize/main.c +@@ -269,6 +269,8 @@ int main (int argc, char ** argv) + long sysval; + int len, mount_flags; + char *mtpt, *undo_file = NULL; ++ dgrp_t new_group_desc_count; ++ unsigned long new_desc_blocks; + + #ifdef ENABLE_NLS + setlocale(LC_MESSAGES, ""); +@@ -528,6 +530,18 @@ int main (int argc, char ** argv) + exit(1); + } + } ++ new_group_desc_count = ext2fs_div64_ceil(new_size - ++ fs->super->s_first_data_block, ++ EXT2_BLOCKS_PER_GROUP(fs->super)); ++ new_desc_blocks = ext2fs_div_ceil(new_group_desc_count, ++ EXT2_DESC_PER_BLOCK(fs->super)); ++ if ((new_desc_blocks + fs->super->s_first_data_block) > ++ EXT2_BLOCKS_PER_GROUP(fs->super)) { ++ com_err(program_name, 0, ++ _("New size results in too many block group " ++ "descriptors.\n")); ++ exit(1); ++ } + + if (!force && new_size < min_size) { + com_err(program_name, 0, +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-ss_add_info_dir-fix-error-handling-when-memory-alloc.patch b/SOURCES/e2fsprogs-1.45.6-ss_add_info_dir-fix-error-handling-when-memory-alloc.patch new file mode 100644 index 0000000..f2f0e08 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-ss_add_info_dir-fix-error-handling-when-memory-alloc.patch @@ -0,0 +1,48 @@ +From 7fa914a178bbda39e3ed75326e18b183784fd57e Mon Sep 17 00:00:00 2001 +From: Wu Guanghao +Date: Wed, 28 Jul 2021 09:56:45 +0800 +Subject: [PATCH 35/46] ss_add_info_dir: fix error handling when memory + allocation fails +Content-Type: text/plain + +If the realloc() and malloc() calls fail, avoid a memory leak as well +as a potential seg fault. + +[ Fix error code setting to avoid depending on malloc() and realloc() + setting errno. -- TYT ] + +Signed-off-by: Wu Guanghao +Signed-off-by: Zhiqiang Liu +Reviewed-by: Wu Bo +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + lib/ss/help.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/lib/ss/help.c b/lib/ss/help.c +index 5204401b..96eb1092 100644 +--- a/lib/ss/help.c ++++ b/lib/ss/help.c +@@ -148,13 +148,16 @@ void ss_add_info_dir(int sci_idx, char *info_dir, int *code_ptr) + dirs = (char **)realloc((char *)dirs, + (unsigned)(n_dirs + 2)*sizeof(char *)); + if (dirs == (char **)NULL) { +- info->info_dirs = (char **)NULL; +- *code_ptr = errno; ++ *code_ptr = ENOMEM; + return; + } + info->info_dirs = dirs; + dirs[n_dirs + 1] = (char *)NULL; + dirs[n_dirs] = malloc((unsigned)strlen(info_dir)+1); ++ if (dirs[n_dirs] == (char *)NULL) { ++ *code_ptr = ENOMEM; ++ return; ++ } + strcpy(dirs[n_dirs], info_dir); + *code_ptr = 0; + } +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-ss_create_invocation-fix-error-handling-when-memory-.patch b/SOURCES/e2fsprogs-1.45.6-ss_create_invocation-fix-error-handling-when-memory-.patch new file mode 100644 index 0000000..2c950de --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-ss_create_invocation-fix-error-handling-when-memory-.patch @@ -0,0 +1,112 @@ +From e46e4a8c3c298ec05092008966072d73437c9728 Mon Sep 17 00:00:00 2001 +From: Wu Guanghao +Date: Wed, 28 Jul 2021 09:56:46 +0800 +Subject: [PATCH 36/46] ss_create_invocation: fix error handling when memory + allocation fails +Content-Type: text/plain + +In ss_create_invocation(), it is necessary to check whether +returned by malloc is a null pointer. + +Signed-off-by: Wu Guanghao +Signed-off-by: Zhiqiang Liu +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + lib/ss/invocation.c | 42 +++++++++++++++++++++++++++++++++--------- + 1 file changed, 33 insertions(+), 9 deletions(-) + +diff --git a/lib/ss/invocation.c b/lib/ss/invocation.c +index 457e7a2c..bf5ea0ce 100644 +--- a/lib/ss/invocation.c ++++ b/lib/ss/invocation.c +@@ -26,29 +26,33 @@ int ss_create_invocation(const char *subsystem_name, const char *version_string, + void *info_ptr, ss_request_table *request_table_ptr, + int *code_ptr) + { +- register int sci_idx; +- register ss_data *new_table; +- register ss_data **table; ++ int sci_idx; ++ ss_data *new_table = NULL; ++ ss_data **table = NULL; ++ ss_data **realloc_table = NULL; + + *code_ptr = 0; + table = _ss_table; + new_table = (ss_data *) malloc(sizeof(ss_data)); ++ if (!new_table) ++ goto out; + + if (table == (ss_data **) NULL) { + table = (ss_data **) malloc(2 * size); ++ if (!table) ++ goto out; + table[0] = table[1] = (ss_data *)NULL; + } + initialize_ss_error_table (); + + for (sci_idx = 1; table[sci_idx] != (ss_data *)NULL; sci_idx++) + ; +- table = (ss_data **) realloc((char *)table, ++ realloc_table = (ss_data **) realloc((char *)table, + ((unsigned)sci_idx+2)*size); +- if (table == NULL) { +- *code_ptr = ENOMEM; +- free(new_table); +- return 0; +- } ++ if (realloc_table == NULL) ++ goto out; ++ ++ table = realloc_table; + table[sci_idx+1] = (ss_data *) NULL; + table[sci_idx] = new_table; + +@@ -57,9 +61,15 @@ int ss_create_invocation(const char *subsystem_name, const char *version_string, + new_table->argv = (char **)NULL; + new_table->current_request = (char *)NULL; + new_table->info_dirs = (char **)malloc(sizeof(char *)); ++ if (!new_table->info_dirs) ++ goto out; ++ + *new_table->info_dirs = (char *)NULL; + new_table->info_ptr = info_ptr; + new_table->prompt = malloc((unsigned)strlen(subsystem_name)+4); ++ if (!new_table->prompt) ++ goto out; ++ + strcpy(new_table->prompt, subsystem_name); + strcat(new_table->prompt, ": "); + #ifdef silly +@@ -71,6 +81,9 @@ int ss_create_invocation(const char *subsystem_name, const char *version_string, + new_table->flags.abbrevs_disabled = 0; + new_table->rqt_tables = + (ss_request_table **) calloc(2, sizeof(ss_request_table *)); ++ if (!new_table->rqt_tables) ++ goto out; ++ + *(new_table->rqt_tables) = request_table_ptr; + *(new_table->rqt_tables+1) = (ss_request_table *) NULL; + +@@ -85,6 +98,17 @@ int ss_create_invocation(const char *subsystem_name, const char *version_string, + ss_get_readline(sci_idx); + #endif + return(sci_idx); ++ ++out: ++ if (new_table) { ++ free(new_table->prompt); ++ free(new_table->info_dirs); ++ } ++ free(new_table); ++ free(table); ++ *code_ptr = ENOMEM; ++ return 0; ++ + } + + void +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-ss_create_invocation-fix-potential-unititalized-refe.patch b/SOURCES/e2fsprogs-1.45.6-ss_create_invocation-fix-potential-unititalized-refe.patch new file mode 100644 index 0000000..4b7f809 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-ss_create_invocation-fix-potential-unititalized-refe.patch @@ -0,0 +1,30 @@ +From 1f70da1ff20ed99f2a3ac26a61a6492279bd44de Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 3 Aug 2021 11:03:34 -0400 +Subject: [PATCH 38/46] ss_create_invocation: fix potential unititalized + reference in error path +Content-Type: text/plain + +Fixes: eccdde1ff381 ("ss_create_invocation: fix error handling when ...") +Addresses-Coverity-Bug: 1489771 +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + lib/ss/invocation.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/ss/invocation.c b/lib/ss/invocation.c +index bf5ea0ce..7d7458a7 100644 +--- a/lib/ss/invocation.c ++++ b/lib/ss/invocation.c +@@ -36,6 +36,7 @@ int ss_create_invocation(const char *subsystem_name, const char *version_string, + new_table = (ss_data *) malloc(sizeof(ss_data)); + if (!new_table) + goto out; ++ memset(new_table, 0, sizeof(ss_data)); + + if (table == (ss_data **) NULL) { + table = (ss_data **) malloc(2 * size); +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-tdb_transaction_recover-fix-memory-leak.patch b/SOURCES/e2fsprogs-1.45.6-tdb_transaction_recover-fix-memory-leak.patch new file mode 100644 index 0000000..43ae5a4 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-tdb_transaction_recover-fix-memory-leak.patch @@ -0,0 +1,33 @@ +From a6f7be73206a27f6b5eb95ed66095d38110560cc Mon Sep 17 00:00:00 2001 +From: wuguanghao +Date: Wed, 30 Jun 2021 16:27:14 +0800 +Subject: [PATCH 27/46] tdb_transaction_recover: fix memory leak +Content-Type: text/plain + +In tdb_transaction_recover(), need free data before return, +otherwise it will cause memory leak. + +Signed-off-by: Wu Guanghao +Signed-off-by: Zhiqiang Liu +Reviewed-by: Wu Bo +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + lib/ext2fs/tdb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/ext2fs/tdb.c b/lib/ext2fs/tdb.c +index 5091b128..0fb94815 100644 +--- a/lib/ext2fs/tdb.c ++++ b/lib/ext2fs/tdb.c +@@ -2186,6 +2186,7 @@ int tdb_transaction_recover(struct tdb_context *tdb) + rec.data_len, 0) == -1) { + TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_recover: failed to read recovery data\n")); + tdb->ecode = TDB_ERR_IO; ++ free(data); + return -1; + } + +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-tests-Add-option-to-print-diff-output-of-failed-test.patch b/SOURCES/e2fsprogs-1.45.6-tests-Add-option-to-print-diff-output-of-failed-test.patch new file mode 100644 index 0000000..cb5f7a3 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-tests-Add-option-to-print-diff-output-of-failed-test.patch @@ -0,0 +1,33 @@ +From 4b2fa25a97e53636dfe216198a1e97266cf0709a Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Thu, 2 Sep 2021 12:58:52 +0200 +Subject: [PATCH 46/46] tests: Add option to print diff output of failed tests +Content-Type: text/plain + +Add variable $PRINT_FAILED which when set will print the diff output of +a failed test. + +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +--- + tests/test_one.in | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tests/test_one.in b/tests/test_one.in +index 5d7607ad..78499ad0 100644 +--- a/tests/test_one.in ++++ b/tests/test_one.in +@@ -82,6 +82,10 @@ if [ $elapsed -gt 60 -a ! -f $test_dir/is_slow_test ]; then + echo "$test_name: consider adding $test_dir/is_slow_test" + fi + ++if [ -n "$PRINT_FAILED" -a -f $test_name.failed ] ; then ++ cat $test_name.failed ++fi ++ + if [ "$SKIP_UNLINK" != "true" ] ; then + rm -f $TMPFILE + fi +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-tune2fs-update-dir-checksums-when-clearing-dir_index.patch b/SOURCES/e2fsprogs-1.45.6-tune2fs-update-dir-checksums-when-clearing-dir_index.patch new file mode 100644 index 0000000..f8dae8d --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-tune2fs-update-dir-checksums-when-clearing-dir_index.patch @@ -0,0 +1,284 @@ +From fb4a6ed596f6a9f6b1c6d3d9307ef8259d988c04 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 13 Feb 2020 11:16:02 +0100 +Subject: [PATCH 06/46] tune2fs: update dir checksums when clearing dir_index + feature +Content-Type: text/plain + +When clearing dir_index feature while metadata_csum is enabled, we have +to rewrite checksums of all indexed directories to update checksums of +internal tree nodes. + +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + misc/tune2fs.c | 143 ++++++++++++++++++++++++++++++++----------------- + 1 file changed, 95 insertions(+), 48 deletions(-) + +diff --git a/misc/tune2fs.c b/misc/tune2fs.c +index 39cf8587..a7a779b8 100644 +--- a/misc/tune2fs.c ++++ b/misc/tune2fs.c +@@ -504,7 +504,8 @@ struct rewrite_dir_context { + char *buf; + errcode_t errcode; + ext2_ino_t dir; +- int is_htree; ++ int is_htree:1; ++ int clear_htree:1; + }; + + static int rewrite_dir_block(ext2_filsys fs, +@@ -523,8 +524,13 @@ static int rewrite_dir_block(ext2_filsys fs, + if (ctx->errcode) + return BLOCK_ABORT; + +- /* if htree node... */ +- if (ctx->is_htree) ++ /* ++ * if htree node... Note that if we are clearing htree structures from ++ * the directory, we treat the htree internal block as an ordinary leaf. ++ * The code below will do the right thing and make space for checksum ++ * there. ++ */ ++ if (ctx->is_htree && !ctx->clear_htree) + ext2fs_get_dx_countlimit(fs, (struct ext2_dir_entry *)ctx->buf, + &dcl, &dcl_offset); + if (dcl) { +@@ -653,7 +659,8 @@ static errcode_t rewrite_directory(ext2_filsys fs, ext2_ino_t dir, + if (retval) + return retval; + +- ctx.is_htree = (inode->i_flags & EXT2_INDEX_FL); ++ ctx.is_htree = !!(inode->i_flags & EXT2_INDEX_FL); ++ ctx.clear_htree = !ext2fs_has_feature_dir_index(fs->super); + ctx.dir = dir; + ctx.errcode = 0; + retval = ext2fs_block_iterate3(fs, dir, BLOCK_FLAG_READ_ONLY | +@@ -664,6 +671,13 @@ static errcode_t rewrite_directory(ext2_filsys fs, ext2_ino_t dir, + if (retval) + return retval; + ++ if (ctx.is_htree && ctx.clear_htree) { ++ inode->i_flags &= ~EXT2_INDEX_FL; ++ retval = ext2fs_write_inode(fs, dir, inode); ++ if (retval) ++ return retval; ++ } ++ + return ctx.errcode; + } + +@@ -818,28 +832,67 @@ static void rewrite_one_inode(struct rewrite_context *ctx, ext2_ino_t ino, + fatal_err(retval, "while rewriting extended attribute"); + } + +-/* +- * Forcibly set checksums in all inodes. +- */ +-static void rewrite_inodes(ext2_filsys fs) ++#define REWRITE_EA_FL 0x01 /* Rewrite EA inodes */ ++#define REWRITE_DIR_FL 0x02 /* Rewrite directories */ ++#define REWRITE_NONDIR_FL 0x04 /* Rewrite other inodes */ ++#define REWRITE_ALL (REWRITE_EA_FL | REWRITE_DIR_FL | REWRITE_NONDIR_FL) ++ ++static void rewrite_inodes_pass(struct rewrite_context *ctx, unsigned int flags) + { + ext2_inode_scan scan; + errcode_t retval; + ext2_ino_t ino; + struct ext2_inode *inode; +- int pass; ++ int rewrite; ++ ++ retval = ext2fs_get_mem(ctx->inode_size, &inode); ++ if (retval) ++ fatal_err(retval, "while allocating memory"); ++ ++ retval = ext2fs_open_inode_scan(ctx->fs, 0, &scan); ++ if (retval) ++ fatal_err(retval, "while opening inode scan"); ++ ++ do { ++ retval = ext2fs_get_next_inode_full(scan, &ino, inode, ++ ctx->inode_size); ++ if (retval) ++ fatal_err(retval, "while getting next inode"); ++ if (!ino) ++ break; ++ ++ rewrite = 0; ++ if (inode->i_flags & EXT4_EA_INODE_FL) { ++ if (flags & REWRITE_EA_FL) ++ rewrite = 1; ++ } else if (LINUX_S_ISDIR(inode->i_mode)) { ++ if (flags & REWRITE_DIR_FL) ++ rewrite = 1; ++ } else { ++ if (flags & REWRITE_NONDIR_FL) ++ rewrite = 1; ++ } ++ if (rewrite) ++ rewrite_one_inode(ctx, ino, inode); ++ } while (ino); ++ ext2fs_close_inode_scan(scan); ++ ext2fs_free_mem(&inode); ++} ++ ++/* ++ * Forcibly rewrite checksums in inodes specified by 'flags' ++ */ ++static void rewrite_inodes(ext2_filsys fs, unsigned int flags) ++{ + struct rewrite_context ctx = { + .fs = fs, + .inode_size = EXT2_INODE_SIZE(fs->super), + }; ++ errcode_t retval; + + if (fs->super->s_creator_os == EXT2_OS_HURD) + return; + +- retval = ext2fs_get_mem(ctx.inode_size, &inode); +- if (retval) +- fatal_err(retval, "while allocating memory"); +- + retval = ext2fs_get_memzero(ctx.inode_size, &ctx.zero_inode); + if (retval) + fatal_err(retval, "while allocating memory"); +@@ -858,39 +911,16 @@ static void rewrite_inodes(ext2_filsys fs) + * + * pass 2: go over other inodes to update their checksums. + */ +- if (ext2fs_has_feature_ea_inode(fs->super)) +- pass = 1; +- else +- pass = 2; +- for (;pass <= 2; pass++) { +- retval = ext2fs_open_inode_scan(fs, 0, &scan); +- if (retval) +- fatal_err(retval, "while opening inode scan"); +- +- do { +- retval = ext2fs_get_next_inode_full(scan, &ino, inode, +- ctx.inode_size); +- if (retval) +- fatal_err(retval, "while getting next inode"); +- if (!ino) +- break; +- +- if (((pass == 1) && +- (inode->i_flags & EXT4_EA_INODE_FL)) || +- ((pass == 2) && +- !(inode->i_flags & EXT4_EA_INODE_FL))) +- rewrite_one_inode(&ctx, ino, inode); +- } while (ino); +- +- ext2fs_close_inode_scan(scan); +- } ++ if (ext2fs_has_feature_ea_inode(fs->super) && (flags & REWRITE_EA_FL)) ++ rewrite_inodes_pass(&ctx, REWRITE_EA_FL); ++ flags &= ~REWRITE_EA_FL; ++ rewrite_inodes_pass(&ctx, flags); + + ext2fs_free_mem(&ctx.zero_inode); + ext2fs_free_mem(&ctx.ea_buf); +- ext2fs_free_mem(&inode); + } + +-static void rewrite_metadata_checksums(ext2_filsys fs) ++static void rewrite_metadata_checksums(ext2_filsys fs, unsigned int flags) + { + errcode_t retval; + dgrp_t i; +@@ -902,7 +932,7 @@ static void rewrite_metadata_checksums(ext2_filsys fs) + retval = ext2fs_read_bitmaps(fs); + if (retval) + fatal_err(retval, "while reading bitmaps"); +- rewrite_inodes(fs); ++ rewrite_inodes(fs, flags); + ext2fs_mark_ib_dirty(fs); + ext2fs_mark_bb_dirty(fs); + ext2fs_mmp_update2(fs, 1); +@@ -1201,6 +1231,23 @@ mmp_error: + uuid_generate((unsigned char *) sb->s_hash_seed); + } + ++ if (FEATURE_OFF(E2P_FEATURE_COMPAT, EXT2_FEATURE_COMPAT_DIR_INDEX) && ++ ext2fs_has_feature_metadata_csum(sb)) { ++ check_fsck_needed(fs, ++ _("Disabling directory index on filesystem with " ++ "checksums could take some time.")); ++ if (mount_flags & EXT2_MF_MOUNTED) { ++ fputs(_("Cannot disable dir_index on a mounted " ++ "filesystem!\n"), stderr); ++ exit(1); ++ } ++ /* ++ * Clearing dir_index on checksummed filesystem requires ++ * rewriting all directories to update checksums. ++ */ ++ rewrite_checksums |= REWRITE_DIR_FL; ++ } ++ + if (FEATURE_OFF(E2P_FEATURE_INCOMPAT, EXT4_FEATURE_INCOMPAT_FLEX_BG)) { + if (ext2fs_check_desc(fs)) { + fputs(_("Clearing the flex_bg flag would " +@@ -1244,7 +1291,7 @@ mmp_error: + "The larger fields afforded by this feature " + "enable full-strength checksumming. " + "Run resize2fs -b to rectify.\n")); +- rewrite_checksums = 1; ++ rewrite_checksums = REWRITE_ALL; + /* metadata_csum supersedes uninit_bg */ + ext2fs_clear_feature_gdt_csum(fs->super); + +@@ -1272,7 +1319,7 @@ mmp_error: + "filesystem!\n"), stderr); + exit(1); + } +- rewrite_checksums = 1; ++ rewrite_checksums = REWRITE_ALL; + + /* Enable uninit_bg unless the user expressly turned it off */ + memcpy(test_features, old_features, sizeof(test_features)); +@@ -1454,7 +1501,7 @@ mmp_error: + } + check_fsck_needed(fs, _("Recalculating checksums " + "could take some time.")); +- rewrite_checksums = 1; ++ rewrite_checksums = REWRITE_ALL; + } + } + +@@ -3191,7 +3238,7 @@ _("Warning: The journal is dirty. You may wish to replay the journal like:\n\n" + check_fsck_needed(fs, + _("Setting the UUID on this " + "filesystem could take some time.")); +- rewrite_checksums = 1; ++ rewrite_checksums = REWRITE_ALL; + } + + if (ext2fs_has_group_desc_csum(fs)) { +@@ -3302,7 +3349,7 @@ _("Warning: The journal is dirty. You may wish to replay the journal like:\n\n" + if (retval == 0) { + printf(_("Setting inode size %lu\n"), + new_inode_size); +- rewrite_checksums = 1; ++ rewrite_checksums = REWRITE_ALL; + } else { + printf("%s", _("Failed to change inode size\n")); + rc = 1; +@@ -3311,7 +3358,7 @@ _("Warning: The journal is dirty. You may wish to replay the journal like:\n\n" + } + + if (rewrite_checksums) +- rewrite_metadata_checksums(fs); ++ rewrite_metadata_checksums(fs, rewrite_checksums); + + if (l_flag) + list_super(sb); +-- +2.35.1 + diff --git a/SOURCES/e2fsprogs-1.45.6-zap_sector-fix-memory-leak.patch b/SOURCES/e2fsprogs-1.45.6-zap_sector-fix-memory-leak.patch new file mode 100644 index 0000000..66e0bc5 --- /dev/null +++ b/SOURCES/e2fsprogs-1.45.6-zap_sector-fix-memory-leak.patch @@ -0,0 +1,37 @@ +From 8f0e75091cfcbdfbfa0f6d0e379e153ddaa268ac Mon Sep 17 00:00:00 2001 +From: wuguanghao +Date: Wed, 30 Jun 2021 16:27:15 +0800 +Subject: [PATCH 28/46] zap_sector: fix memory leak +Content-Type: text/plain + +In zap_sector(), need free buf before return, +otherwise it will cause memory leak. + +Signed-off-by: Wu Guanghao +Signed-off-by: Zhiqiang Liu +Reviewed-by: Wu Bo +Signed-off-by: Theodore Ts'o +Signed-off-by: Lukas Czerner +--- + misc/mke2fs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/misc/mke2fs.c b/misc/mke2fs.c +index 0184a3a8..389d0981 100644 +--- a/misc/mke2fs.c ++++ b/misc/mke2fs.c +@@ -582,8 +582,10 @@ static void zap_sector(ext2_filsys fs, int sect, int nsect) + else { + magic = (unsigned int *) (buf + BSD_LABEL_OFFSET); + if ((*magic == BSD_DISKMAGIC) || +- (*magic == BSD_MAGICDISK)) ++ (*magic == BSD_MAGICDISK)) { ++ free(buf); + return; ++ } + } + } + +-- +2.35.1 + diff --git a/SPECS/e2fsprogs.spec b/SPECS/e2fsprogs.spec index d12fe7f..4e5b47b 100644 --- a/SPECS/e2fsprogs.spec +++ b/SPECS/e2fsprogs.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing ext2, ext3, and ext4 file systems Name: e2fsprogs Version: 1.45.6 -Release: 4%{?dist} +Release: 5%{?dist} # License tags based on COPYING file distinctions for various components License: GPLv2 @@ -38,6 +38,54 @@ Patch7: e2fsprogs-1.45.6-mke2fs-Escape-double-quotes-when-parsing-mke2fs.conf.pa Patch8: 0001-reisze2fs-sanity-check-free-block-group-counts-when-.patch Patch9: 0001-tests-support-older-versions-of-timeout-in-r_corrupt.patch Patch10: 0001-tests-specify-inode-size-in-r_corrupt_fs.patch +Patch11: e2fsprogs-1.45.6-libext2fs-fix-crash-in-ext2fs_open2-on-Big-Endian-sy.patch +Patch12: e2fsprogs-1.45.6-libext2fs-fix-crash-in-ext2fs_image_super_write-on-B.patch +Patch13: e2fsprogs-1.45.6-libext2fs-teach-ext2fs_flush-to-check-if-group-descr.patch +Patch14: e2fsprogs-1.45.6-libext2fs-don-t-needlessly-byte-swap-the-group-descr.patch +Patch15: e2fsprogs-1.45.6-e2fsck-fix-indexed-dir-rehash-failure-with-metadata_.patch +Patch16: e2fsprogs-1.45.6-tune2fs-update-dir-checksums-when-clearing-dir_index.patch +Patch17: e2fsprogs-1.45.6-e2fsck-fix-off-by-one-check-when-validating-depth-of.patch +Patch18: e2fsprogs-1.45.6-libext2fs-fix-potential-buffer-overrun-in-__get_dire.patch +Patch19: e2fsprogs-1.45.6-e2fsck-use-size_t-instead-of-int-in-string_copy.patch +Patch20: e2fsprogs-1.45.6-mke2fs-fix-up-check-for-hardlinks-always-false-if-in.patch +Patch21: e2fsprogs-1.45.6-resize2fs-prevent-block-group-descriptors-from-overf.patch +Patch22: e2fsprogs-1.45.6-debugfs-fix-parse_uint-for-64-bit-fields.patch +Patch23: e2fsprogs-1.45.6-create_inode-set-xattrs-to-the-root-directory-as-wel.patch +Patch24: e2fsprogs-1.45.6-filefrag-handle-invalid-st_dev-and-blksize-cases.patch +Patch25: e2fsprogs-1.45.6-libext2fs-fix-incorrect-negative-error-return-in-uni.patch +Patch26: e2fsprogs-1.45.6-debugfs-fix-double-free-in-realloc-error-path-in-rea.patch +Patch27: e2fsprogs-1.45.6-Fix-clang-warnings.patch +Patch28: e2fsprogs-1.45.6-libext2fs-fix-segault-when-setting-an-xattr-with-an-.patch +Patch29: e2fsprogs-1.45.6-debugfs-fix-memory-allocation-failures-when-parsing-.patch +Patch30: e2fsprogs-1.45.6-libext2fs-fix-crash-when-ext2fs_mmp_stop-is-called-b.patch +Patch31: e2fsprogs-1.45.6-Add-checks-for-fs-blocksize-0-which-could-cause-some.patch +Patch32: e2fsprogs-1.45.6-debugfs-fix-memory-leak-problem-in-read_list.patch +Patch33: e2fsprogs-1.45.6-mmp-do-not-use-O_DIRECT-when-working-with-regular-fi.patch +Patch34: e2fsprogs-1.45.6-resize2fs-avoid-allocating-over-the-MMP-block.patch +Patch35: e2fsprogs-1.45.6-e2image-fix-overflow-in-l2-table-processing.patch +Patch36: e2fsprogs-1.45.6-e2fsck-fix-last-mount-write-time-when-e2fsck-is-forc.patch +Patch37: e2fsprogs-1.45.6-tdb_transaction_recover-fix-memory-leak.patch +Patch38: e2fsprogs-1.45.6-zap_sector-fix-memory-leak.patch +Patch39: e2fsprogs-1.45.6-append_pathname-check-the-value-returned-by-realloc.patch +Patch40: e2fsprogs-1.45.6-argv_parse-check-return-value-of-malloc-in-argv_pars.patch +Patch41: e2fsprogs-1.45.6-misc-fix-potential-segmentation-fault-problem-in-sca.patch +Patch42: e2fsprogs-1.45.6-lib-ss-error.c-check-return-value-malloc-in-ss_name.patch +Patch43: e2fsprogs-1.45.6-ext2ed-fix-potential-NULL-pointer-dereference-in-dup.patch +Patch44: e2fsprogs-1.45.6-mke2fs-only-try-discarding-a-single-block-to-test-if.patch +Patch45: e2fsprogs-1.45.6-ss_add_info_dir-fix-error-handling-when-memory-alloc.patch +Patch46: e2fsprogs-1.45.6-ss_create_invocation-fix-error-handling-when-memory-.patch +Patch47: e2fsprogs-1.45.6-lsattr-check-whether-path-is-NULL-in-lsattr_dir_proc.patch +Patch48: e2fsprogs-1.45.6-ss_create_invocation-fix-potential-unititalized-refe.patch +Patch49: e2fsprogs-1.45.6-quota-Do-not-account-space-used-by-project-quota-fil.patch +Patch50: e2fsprogs-1.45.6-libext2fs-fix-unexpected-NULL-variable.patch +Patch51: e2fsprogs-1.45.6-libext2fs-remove-augmented-rbtree-functionality.patch +Patch52: e2fsprogs-1.45.6-libss-handle-memory-allcation-failure-in-ss_help.patch +Patch53: e2fsprogs-1.45.6-libss-Add-missing-error-handling-for-fdopen.patch +Patch54: e2fsprogs-1.45.6-libsupport-fix-potental-NULL-pointer-dereferences-in.patch +Patch55: e2fsprogs-1.45.6-e2fsck-add-maximum-string-length-specifiers-to-fscan.patch +Patch56: e2fsprogs-1.45.6-tests-Add-option-to-print-diff-output-of-failed-test.patch +Patch57: e2fsprogs-1.45.6-libext2fs-add-sanity-check-to-extent-manipulation.patch +Patch58: e2fsprogs-1.45.6-libss-fix-possible-NULL-pointer-dereferece-on-alloca.patch %description The e2fsprogs package contains a number of utilities for creating, @@ -167,6 +215,54 @@ It was originally inspired by the Multics SubSystem library. %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 +%patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 +%patch34 -p1 +%patch35 -p1 +%patch36 -p1 +%patch37 -p1 +%patch38 -p1 +%patch39 -p1 +%patch40 -p1 +%patch41 -p1 +%patch42 -p1 +%patch43 -p1 +%patch44 -p1 +%patch45 -p1 +%patch46 -p1 +%patch47 -p1 +%patch48 -p1 +%patch49 -p1 +%patch50 -p1 +%patch51 -p1 +%patch52 -p1 +%patch53 -p1 +%patch54 -p1 +%patch55 -p1 +%patch56 -p1 +%patch57 -p1 +%patch58 -p1 %build %configure CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" \ @@ -190,7 +286,7 @@ chmod +w %{buildroot}%{_libdir}/*.a %find_lang %{name} %check -make fullcheck +make PRINT_FAILED=yes fullcheck %post libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig @@ -329,6 +425,10 @@ exit 0 %{_libdir}/pkgconfig/ss.pc %changelog +* Wed May 11 2022 Lukas Czerner 1.45.6-5 +- Update e2fsprogs with upstream fixes and improvements (#2083621) +- Fix out-of-bounds read/write via crafter filesystem (#2073548) + * Wed Feb 16 2022 Lukas Czerner 1.45.6-4 - Sanity check free block group counts when calculating minimum size (#2054129)