From e7a9631152f124d9f9f8e674ec466d428eb6c8ef Mon Sep 17 00:00:00 2001 From: Eric Sandeen Date: Wed, 12 Dec 2007 20:16:57 +0000 Subject: [PATCH] * Tue Dec 11 2007 Eric Sandeen 1.40.2-14 - Fix integer overflows (#414591 / CVE-2007-5497) --- e2fsprogs-1.40.2-integer-overflows.patch | 322 +++++++++++++++++++++++ e2fsprogs.spec | 8 +- 2 files changed, 329 insertions(+), 1 deletion(-) create mode 100644 e2fsprogs-1.40.2-integer-overflows.patch diff --git a/e2fsprogs-1.40.2-integer-overflows.patch b/e2fsprogs-1.40.2-integer-overflows.patch new file mode 100644 index 0000000..053c9e2 --- /dev/null +++ b/e2fsprogs-1.40.2-integer-overflows.patch @@ -0,0 +1,322 @@ +From ee01079a17bfecd17292ccd60058056fb3a8ba6c Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 9 Nov 2007 19:01:06 -0500 +Subject: [PATCH] libext2fs: Add checks to prevent integer overflows passed to malloc() + +This addresses a potential security vulnerability where an untrusted +filesystem can be corrupted in such a way that a program using +libext2fs will allocate a buffer which is far too small. This can +lead to either a crash or potentially a heap-based buffer overflow +crash. No known exploits exist, but main concern is where an +untrusted user who possesses privileged access in a guest Xen +environment could corrupt a filesystem which is then accessed by the +pygrub program, running as root in the dom0 host environment, thus +allowing the untrusted user to gain privileged access in the host OS. + +Thanks to the McAfee AVERT Research group for reporting this issue. + +Addresses CVE-2007-5497. + +Signed-off-by: Rafal Wojtczuk +Signed-off-by: "Theodore Ts'o" +--- + lib/ext2fs/badblocks.c | 2 +- + lib/ext2fs/bb_inode.c | 2 +- + lib/ext2fs/block.c | 2 +- + lib/ext2fs/bmap.c | 2 +- + lib/ext2fs/bmove.c | 2 +- + lib/ext2fs/brel_ma.c | 3 ++- + lib/ext2fs/closefs.c | 3 +-- + lib/ext2fs/dblist.c | 3 ++- + lib/ext2fs/dupfs.c | 2 +- + lib/ext2fs/ext2fs.h | 7 +++++++ + lib/ext2fs/fileio.c | 2 +- + lib/ext2fs/icount.c | 3 ++- + lib/ext2fs/initialize.c | 2 +- + lib/ext2fs/inode.c | 10 +++++----- + lib/ext2fs/irel_ma.c | 12 ++++++++---- + lib/ext2fs/openfs.c | 2 +- + lib/ext2fs/res_gdt.c | 2 +- + 17 files changed, 37 insertions(+), 24 deletions(-) + +Index: e2fsprogs-1.40.2/lib/ext2fs/badblocks.c +=================================================================== +--- e2fsprogs-1.40.2.orig/lib/ext2fs/badblocks.c ++++ e2fsprogs-1.40.2/lib/ext2fs/badblocks.c +@@ -42,7 +42,7 @@ static errcode_t make_u32_list(int size, + bb->magic = EXT2_ET_MAGIC_BADBLOCKS_LIST; + bb->size = size ? size : 10; + bb->num = num; +- retval = ext2fs_get_mem(bb->size * sizeof(blk_t), &bb->list); ++ retval = ext2fs_get_array(bb->size, sizeof(blk_t), &bb->list); + if (retval) { + ext2fs_free_mem(&bb); + return retval; +Index: e2fsprogs-1.40.2/lib/ext2fs/bb_inode.c +=================================================================== +--- e2fsprogs-1.40.2.orig/lib/ext2fs/bb_inode.c ++++ e2fsprogs-1.40.2/lib/ext2fs/bb_inode.c +@@ -68,7 +68,7 @@ errcode_t ext2fs_update_bb_inode(ext2_fi + rec.bad_block_count = 0; + rec.ind_blocks_size = rec.ind_blocks_ptr = 0; + rec.max_ind_blocks = 10; +- retval = ext2fs_get_mem(rec.max_ind_blocks * sizeof(blk_t), ++ retval = ext2fs_get_array(rec.max_ind_blocks, sizeof(blk_t), + &rec.ind_blocks); + if (retval) + return retval; +Index: e2fsprogs-1.40.2/lib/ext2fs/block.c +=================================================================== +--- e2fsprogs-1.40.2.orig/lib/ext2fs/block.c ++++ e2fsprogs-1.40.2/lib/ext2fs/block.c +@@ -313,7 +313,7 @@ errcode_t ext2fs_block_iterate2(ext2_fil + if (block_buf) { + ctx.ind_buf = block_buf; + } else { +- retval = ext2fs_get_mem(fs->blocksize * 3, &ctx.ind_buf); ++ retval = ext2fs_get_array(3, fs->blocksize, &ctx.ind_buf); + if (retval) + return retval; + } +Index: e2fsprogs-1.40.2/lib/ext2fs/bmap.c +=================================================================== +--- e2fsprogs-1.40.2.orig/lib/ext2fs/bmap.c ++++ e2fsprogs-1.40.2/lib/ext2fs/bmap.c +@@ -158,7 +158,7 @@ errcode_t ext2fs_bmap(ext2_filsys fs, ex + addr_per_block = (blk_t) fs->blocksize >> 2; + + if (!block_buf) { +- retval = ext2fs_get_mem(fs->blocksize * 2, &buf); ++ retval = ext2fs_get_array(2, fs->blocksize, &buf); + if (retval) + return retval; + block_buf = buf; +Index: e2fsprogs-1.40.2/lib/ext2fs/bmove.c +=================================================================== +--- e2fsprogs-1.40.2.orig/lib/ext2fs/bmove.c ++++ e2fsprogs-1.40.2/lib/ext2fs/bmove.c +@@ -108,7 +108,7 @@ errcode_t ext2fs_move_blocks(ext2_filsys + pb.alloc_map = alloc_map ? alloc_map : fs->block_map; + pb.flags = flags; + +- retval = ext2fs_get_mem(fs->blocksize * 4, &block_buf); ++ retval = ext2fs_get_array(4, fs->blocksize, &block_buf); + if (retval) + return retval; + pb.buf = block_buf + fs->blocksize * 3; +Index: e2fsprogs-1.40.2/lib/ext2fs/brel_ma.c +=================================================================== +--- e2fsprogs-1.40.2.orig/lib/ext2fs/brel_ma.c ++++ e2fsprogs-1.40.2/lib/ext2fs/brel_ma.c +@@ -75,7 +75,8 @@ errcode_t ext2fs_brel_memarray_create(ch + + size = (size_t) (sizeof(struct ext2_block_relocate_entry) * + (max_block+1)); +- retval = ext2fs_get_mem(size, &ma->entries); ++ retval = ext2fs_get_array(max_block+1, ++ sizeof(struct ext2_block_relocate_entry), &ma->entries); + if (retval) + goto errout; + memset(ma->entries, 0, size); +Index: e2fsprogs-1.40.2/lib/ext2fs/closefs.c +=================================================================== +--- e2fsprogs-1.40.2.orig/lib/ext2fs/closefs.c ++++ e2fsprogs-1.40.2/lib/ext2fs/closefs.c +@@ -226,8 +226,7 @@ errcode_t ext2fs_flush(ext2_filsys fs) + retval = ext2fs_get_mem(SUPERBLOCK_SIZE, &super_shadow); + if (retval) + goto errout; +- retval = ext2fs_get_mem((size_t)(fs->blocksize * +- fs->desc_blocks), ++ retval = ext2fs_get_array(fs->blocksize, fs->desc_blocks, + &group_shadow); + if (retval) + goto errout; +Index: e2fsprogs-1.40.2/lib/ext2fs/dblist.c +=================================================================== +--- e2fsprogs-1.40.2.orig/lib/ext2fs/dblist.c ++++ e2fsprogs-1.40.2/lib/ext2fs/dblist.c +@@ -85,7 +85,8 @@ static errcode_t make_dblist(ext2_filsys + } + len = (size_t) sizeof(struct ext2_db_entry) * dblist->size; + dblist->count = count; +- retval = ext2fs_get_mem(len, &dblist->list); ++ retval = ext2fs_get_array(dblist->size, sizeof(struct ext2_db_entry), ++ &dblist->list); + if (retval) + goto cleanup; + +Index: e2fsprogs-1.40.2/lib/ext2fs/dupfs.c +=================================================================== +--- e2fsprogs-1.40.2.orig/lib/ext2fs/dupfs.c ++++ e2fsprogs-1.40.2/lib/ext2fs/dupfs.c +@@ -59,7 +59,7 @@ errcode_t ext2fs_dup_handle(ext2_filsys + goto errout; + memcpy(fs->orig_super, src->orig_super, SUPERBLOCK_SIZE); + +- retval = ext2fs_get_mem((size_t) fs->desc_blocks * fs->blocksize, ++ retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize, + &fs->group_desc); + if (retval) + goto errout; +Index: e2fsprogs-1.40.2/lib/ext2fs/ext2fs.h +=================================================================== +--- e2fsprogs-1.40.2.orig/lib/ext2fs/ext2fs.h ++++ e2fsprogs-1.40.2/lib/ext2fs/ext2fs.h +@@ -965,6 +965,7 @@ extern errcode_t ext2fs_write_bb_FILE(ex + + /* inline functions */ + extern errcode_t ext2fs_get_mem(unsigned long size, void *ptr); ++extern errcode_t ext2fs_get_array(unsigned long count, unsigned long size, void *ptr); + extern errcode_t ext2fs_free_mem(void *ptr); + extern errcode_t ext2fs_resize_mem(unsigned long old_size, + unsigned long size, void *ptr); +@@ -1018,6 +1019,12 @@ _INLINE_ errcode_t ext2fs_get_mem(unsign + memcpy(ptr, &pp, sizeof (pp)); + return 0; + } ++_INLINE_ errcode_t ext2fs_get_array(unsigned long count, unsigned long size, void *ptr) ++{ ++ if (count && (-1UL)/countblocksize * 3, &file->buf); ++ retval = ext2fs_get_array(3, fs->blocksize, &file->buf); + if (retval) + goto fail; + +Index: e2fsprogs-1.40.2/lib/ext2fs/icount.c +=================================================================== +--- e2fsprogs-1.40.2.orig/lib/ext2fs/icount.c ++++ e2fsprogs-1.40.2/lib/ext2fs/icount.c +@@ -237,7 +237,8 @@ errcode_t ext2fs_create_icount2(ext2_fil + printf("Icount allocated %u entries, %d bytes.\n", + icount->size, bytes); + #endif +- retval = ext2fs_get_mem(bytes, &icount->list); ++ retval = ext2fs_get_array(icount->size, sizeof(struct ext2_icount_el), ++ &icount->list); + if (retval) + goto errout; + memset(icount->list, 0, bytes); +Index: e2fsprogs-1.40.2/lib/ext2fs/initialize.c +=================================================================== +--- e2fsprogs-1.40.2.orig/lib/ext2fs/initialize.c ++++ e2fsprogs-1.40.2/lib/ext2fs/initialize.c +@@ -349,7 +349,7 @@ ipg_retry: + + ext2fs_free_mem(&buf); + +- retval = ext2fs_get_mem((size_t) fs->desc_blocks * fs->blocksize, ++ retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize, + &fs->group_desc); + if (retval) + goto cleanup; +Index: e2fsprogs-1.40.2/lib/ext2fs/inode.c +=================================================================== +--- e2fsprogs-1.40.2.orig/lib/ext2fs/inode.c ++++ e2fsprogs-1.40.2/lib/ext2fs/inode.c +@@ -90,9 +90,9 @@ static errcode_t create_icache(ext2_fils + fs->icache->cache_last = -1; + fs->icache->cache_size = 4; + fs->icache->refcount = 1; +- retval = ext2fs_get_mem(sizeof(struct ext2_inode_cache_ent) +- * fs->icache->cache_size, +- &fs->icache->cache); ++ retval = ext2fs_get_array(fs->icache->cache_size, ++ sizeof(struct ext2_inode_cache_ent), ++ &fs->icache->cache); + if (retval) { + ext2fs_free_mem(&fs->icache->buffer); + ext2fs_free_mem(&fs->icache); +@@ -146,8 +146,8 @@ errcode_t ext2fs_open_inode_scan(ext2_fi + group_desc[scan->current_group].bg_inode_table; + scan->inodes_left = EXT2_INODES_PER_GROUP(scan->fs->super); + scan->blocks_left = scan->fs->inode_blocks_per_group; +- retval = ext2fs_get_mem((size_t) (scan->inode_buffer_blocks * +- fs->blocksize), ++ retval = ext2fs_get_array(scan->inode_buffer_blocks, ++ fs->blocksize, + &scan->inode_buffer); + scan->done_group = 0; + scan->done_group_data = 0; +Index: e2fsprogs-1.40.2/lib/ext2fs/irel_ma.c +=================================================================== +--- e2fsprogs-1.40.2.orig/lib/ext2fs/irel_ma.c ++++ e2fsprogs-1.40.2/lib/ext2fs/irel_ma.c +@@ -90,21 +90,24 @@ errcode_t ext2fs_irel_memarray_create(ch + irel->priv_data = ma; + + size = (size_t) (sizeof(ext2_ino_t) * (max_inode+1)); +- retval = ext2fs_get_mem(size, &ma->orig_map); ++ retval = ext2fs_get_array(max_inode+1, sizeof(ext2_ino_t), ++ &ma->orig_map); + if (retval) + goto errout; + memset(ma->orig_map, 0, size); + + size = (size_t) (sizeof(struct ext2_inode_relocate_entry) * + (max_inode+1)); +- retval = ext2fs_get_mem(size, &ma->entries); ++ retval = ext2fs_get_array((max_inode+1, ++ sizeof(struct ext2_inode_relocate_entry), &ma->entries); + if (retval) + goto errout; + memset(ma->entries, 0, size); + + size = (size_t) (sizeof(struct inode_reference_entry) * + (max_inode+1)); +- retval = ext2fs_get_mem(size, &ma->ref_entries); ++ retval = ext2fs_get_mem(max_inode+1, ++ sizeof(struct inode_reference_entry), &ma->ref_entries); + if (retval) + goto errout; + memset(ma->ref_entries, 0, size); +@@ -249,7 +252,8 @@ static errcode_t ima_add_ref(ext2_irel i + if (ref_ent->refs == 0) { + size = (size_t) ((sizeof(struct ext2_inode_reference) * + ent->max_refs)); +- retval = ext2fs_get_mem(size, &ref_ent->refs); ++ retval = ext2fs_get_array(ent->max_refs, ++ sizeof(struct ext2_inode_reference), &ref_ent->refs); + if (retval) + return retval; + memset(ref_ent->refs, 0, size); +Index: e2fsprogs-1.40.2/lib/ext2fs/openfs.c +=================================================================== +--- e2fsprogs-1.40.2.orig/lib/ext2fs/openfs.c ++++ e2fsprogs-1.40.2/lib/ext2fs/openfs.c +@@ -276,7 +276,7 @@ errcode_t ext2fs_open2(const char *name, + blocks_per_group); + fs->desc_blocks = ext2fs_div_ceil(fs->group_desc_count, + EXT2_DESC_PER_BLOCK(fs->super)); +- retval = ext2fs_get_mem(fs->desc_blocks * fs->blocksize, ++ retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize, + &fs->group_desc); + if (retval) + goto cleanup; +Index: e2fsprogs-1.40.2/lib/ext2fs/res_gdt.c +=================================================================== +--- e2fsprogs-1.40.2.orig/lib/ext2fs/res_gdt.c ++++ e2fsprogs-1.40.2/lib/ext2fs/res_gdt.c +@@ -73,7 +73,7 @@ errcode_t ext2fs_create_resize_inode(ext + + sb = fs->super; + +- retval = ext2fs_get_mem(2 * fs->blocksize, &dindir_buf); ++ retval = ext2fs_get_array(2, fs->blocksize, &dindir_buf); + if (retval) + goto out_free; + gdt_buf = (__u32 *)((char *)dindir_buf + fs->blocksize); diff --git a/e2fsprogs.spec b/e2fsprogs.spec index ac481d3..5038acc 100644 --- a/e2fsprogs.spec +++ b/e2fsprogs.spec @@ -4,7 +4,7 @@ Summary: Utilities for managing the second and third extended (ext2/ext3) filesystems Name: e2fsprogs Version: 1.40.2 -Release: 13%{?dist} +Release: 14%{?dist} # License based on upstream-modified COPYING file, # which clearly states "V2" intent. License: GPLv2 @@ -24,6 +24,7 @@ Patch65: e2fsprogs-1.40.2-fix-open-create-modes.patch Patch66: e2fsprogs-1.40.2-protect-open-ops.patch Patch67: e2fsprogs-1.40.2-blkid-FAT-magic-not-on-strict-position.patch Patch68: e2fsprogs-1.40.2-blkid-squashfs.patch +Patch69: e2fsprogs-1.40.2-integer-overflows.patch Url: http://e2fsprogs.sourceforge.net/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -107,6 +108,8 @@ also want to install e2fsprogs. %patch67 -p1 -b .blkid-fat # detect squashfs in libblkid (#305151) %patch68 -p1 -b .blkid-squashfs +# prevent integer overflows (#414591 / CVE-2007-5497) +%patch69 -p1 -b .overflows %build aclocal @@ -268,6 +271,9 @@ exit 0 %{_mandir}/man3/uuid_unparse.3* %changelog +* Tue Dec 11 2007 Eric Sandeen 1.40.2-14 +- Fix integer overflows (#414591 / CVE-2007-5497) + * Tue Dec 4 2007 Stepan Kasal 1.40.2-13 - The -devel package now requires device-mapper-devel, to match the dependency in blkid.pc (#410791)