e2fsprogs-1.46.5-3

Add sanity check to extent manipulation (#2073549)

Resolves: rhbz#2073549
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
This commit is contained in:
Lukas Czerner 2022-05-13 16:18:18 +02:00
parent 79ef0f822c
commit ba13cc961c
2 changed files with 63 additions and 1 deletions

View File

@ -0,0 +1,57 @@
From ff6679208f45975a090b1260367f1fc5a17b3db7 Mon Sep 17 00:00:00 2001
From: Lukas Czerner <lczerner@redhat.com>
Date: Thu, 21 Apr 2022 19:31:48 +0200
Subject: [PATCH] libext2fs: add sanity check to extent manipulation
Content-Type: text/plain
It is possible to have a corrupted extent tree in such a way that a leaf
node contains zero extents in it. Currently if that happens and we try
to traverse the tree we can end up accessing wrong data, or possibly
even uninitialized memory. Make sure we don't do that.
Additionally make sure that we have a sane number of bytes passed to
memmove() in ext2fs_extent_delete().
Note that e2fsck is currently unable to spot and fix such corruption in
pass1.
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reported-by: Nils Bars <nils_bars@t-online.de>
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2068113
Addresses: CVE-2022-1304
Addresses-Debian-Bug: #1010263
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
(cherry picked from commit ab51d587bb9b229b1fade1afd02e1574c1ba5c76)
---
lib/ext2fs/extent.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c
index b324c7b0..1a206a16 100644
--- a/lib/ext2fs/extent.c
+++ b/lib/ext2fs/extent.c
@@ -495,6 +495,10 @@ retry:
ext2fs_le16_to_cpu(eh->eh_entries);
newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max);
+ /* Make sure there is at least one extent present */
+ if (newpath->left <= 0)
+ return EXT2_ET_EXTENT_NO_DOWN;
+
if (path->left > 0) {
ix++;
newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block);
@@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags)
cp = path->curr;
+ /* Sanity check before memmove() */
+ if (path->left < 0)
+ return EXT2_ET_EXTENT_LEAF_BAD;
+
if (path->left) {
memmove(cp, cp + sizeof(struct ext3_extent_idx),
path->left * sizeof(struct ext3_extent_idx));
--
2.35.3

View File

@ -1,7 +1,7 @@
Summary: Utilities for managing ext2, ext3, and ext4 file systems Summary: Utilities for managing ext2, ext3, and ext4 file systems
Name: e2fsprogs Name: e2fsprogs
Version: 1.46.5 Version: 1.46.5
Release: 2%{?dist} Release: 3%{?dist}
# License tags based on COPYING file distinctions for various components # License tags based on COPYING file distinctions for various components
License: GPLv2 License: GPLv2
@ -41,6 +41,7 @@ BuildRequires: gnupg2 xz
Patch0: 0001-Remove-local-PATH.patch Patch0: 0001-Remove-local-PATH.patch
Patch1: 0002-man-Add-note-about-RHEL9-supported-features-and-moun.patch Patch1: 0002-man-Add-note-about-RHEL9-supported-features-and-moun.patch
Patch2: 0003-mke2fs.conf-Introduce-rhel6-rhel7-and-rhel8-fs_type.patch Patch2: 0003-mke2fs.conf-Introduce-rhel6-rhel7-and-rhel8-fs_type.patch
Patch3: e2fsprogs-libext2fs-add-sanity-check-to-extent-manipulation.patch
%description %description
The e2fsprogs package contains a number of utilities for creating, The e2fsprogs package contains a number of utilities for creating,
@ -173,6 +174,7 @@ xzcat '%{SOURCE0}' | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1
# Remove flawed tests # Remove flawed tests
rm -rf tests/m_rootdir_acl rm -rf tests/m_rootdir_acl
@ -343,6 +345,9 @@ make PRINT_FAILED=yes fullcheck
%{_udevdir}/96-e2scrub.rules %{_udevdir}/96-e2scrub.rules
%changelog %changelog
* Fri May 13 2022 Lukas Czerner <lczerner@redhat.com> 1.46.5-3
- Add sanity check to extent manipulation (#2073549)
* Thu Jan 20 2022 Lukas Czerner <lczerner@redhat.com> - 1.46.5-2 * Thu Jan 20 2022 Lukas Czerner <lczerner@redhat.com> - 1.46.5-2
- Rebuild, no changes - Rebuild, no changes