rpms/e2fsprogs
7
0
Fork 1
Code Issues Pull Requests Releases Activity

* Tue Dec 11 2007 Eric Sandeen <esandeen@redhat.com> 1.40.2-14

Browse Source 
- Fix integer overflows (#414591 / CVE-2007-5497)
This commit is contained in:
Eric Sandeen 2007-12-12 20:16:57 +00:00
parent ecf110c623
commit e7a9631152
2 changed files with 329 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

322
e2fsprogs-1.40.2-integer-overflows.patch Normal file
View File

@ -0,0 +1,322 @@
From ee01079a17bfecd17292ccd60058056fb3a8ba6c Mon Sep 17 00:00:00 2001
From: Theodore Ts'o <tytso@mit.edu>
Date: Fri, 9 Nov 2007 19:01:06 -0500
Subject: [PATCH] libext2fs: Add checks to prevent integer overflows passed to malloc()
This addresses a potential security vulnerability where an untrusted
filesystem can be corrupted in such a way that a program using
libext2fs will allocate a buffer which is far too small. This can
lead to either a crash or potentially a heap-based buffer overflow
crash. No known exploits exist, but main concern is where an
untrusted user who possesses privileged access in a guest Xen
environment could corrupt a filesystem which is then accessed by the
pygrub program, running as root in the dom0 host environment, thus
allowing the untrusted user to gain privileged access in the host OS.
Thanks to the McAfee AVERT Research group for reporting this issue.
Addresses CVE-2007-5497.
Signed-off-by: Rafal Wojtczuk <rafal_wojtczuk@mcafee.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
---
lib/ext2fs/badblocks.c | 2 +-
lib/ext2fs/bb_inode.c | 2 +-
lib/ext2fs/block.c | 2 +-
lib/ext2fs/bmap.c | 2 +-
lib/ext2fs/bmove.c | 2 +-
lib/ext2fs/brel_ma.c | 3 ++-
lib/ext2fs/closefs.c | 3 +--
lib/ext2fs/dblist.c | 3 ++-
lib/ext2fs/dupfs.c | 2 +-
lib/ext2fs/ext2fs.h | 7 +++++++
lib/ext2fs/fileio.c | 2 +-
lib/ext2fs/icount.c | 3 ++-
lib/ext2fs/initialize.c | 2 +-
lib/ext2fs/inode.c | 10 +++++-----
lib/ext2fs/irel_ma.c | 12 ++++++++----
lib/ext2fs/openfs.c | 2 +-
lib/ext2fs/res_gdt.c | 2 +-
17 files changed, 37 insertions(+), 24 deletions(-)
Index: e2fsprogs-1.40.2/lib/ext2fs/badblocks.c
===================================================================
--- e2fsprogs-1.40.2.orig/lib/ext2fs/badblocks.c
+++ e2fsprogs-1.40.2/lib/ext2fs/badblocks.c
@@ -42,7 +42,7 @@ static errcode_t make_u32_list(int size,
bb->magic = EXT2_ET_MAGIC_BADBLOCKS_LIST;
bb->size = size ? size : 10;
bb->num = num;
- retval = ext2fs_get_mem(bb->size * sizeof(blk_t), &bb->list);
+ retval = ext2fs_get_array(bb->size, sizeof(blk_t), &bb->list);
if (retval) {
ext2fs_free_mem(&bb);
return retval;
Index: e2fsprogs-1.40.2/lib/ext2fs/bb_inode.c
===================================================================
--- e2fsprogs-1.40.2.orig/lib/ext2fs/bb_inode.c
+++ e2fsprogs-1.40.2/lib/ext2fs/bb_inode.c
@@ -68,7 +68,7 @@ errcode_t ext2fs_update_bb_inode(ext2_fi
rec.bad_block_count = 0;
rec.ind_blocks_size = rec.ind_blocks_ptr = 0;
rec.max_ind_blocks = 10;
- retval = ext2fs_get_mem(rec.max_ind_blocks * sizeof(blk_t),
+ retval = ext2fs_get_array(rec.max_ind_blocks, sizeof(blk_t),
&rec.ind_blocks);
if (retval)
return retval;
Index: e2fsprogs-1.40.2/lib/ext2fs/block.c
===================================================================
--- e2fsprogs-1.40.2.orig/lib/ext2fs/block.c
+++ e2fsprogs-1.40.2/lib/ext2fs/block.c
@@ -313,7 +313,7 @@ errcode_t ext2fs_block_iterate2(ext2_fil
if (block_buf) {
ctx.ind_buf = block_buf;
} else {
- retval = ext2fs_get_mem(fs->blocksize * 3, &ctx.ind_buf);
+ retval = ext2fs_get_array(3, fs->blocksize, &ctx.ind_buf);
if (retval)
return retval;
}
Index: e2fsprogs-1.40.2/lib/ext2fs/bmap.c
===================================================================
--- e2fsprogs-1.40.2.orig/lib/ext2fs/bmap.c
+++ e2fsprogs-1.40.2/lib/ext2fs/bmap.c
@@ -158,7 +158,7 @@ errcode_t ext2fs_bmap(ext2_filsys fs, ex
addr_per_block = (blk_t) fs->blocksize >> 2;
if (!block_buf) {
- retval = ext2fs_get_mem(fs->blocksize * 2, &buf);
+ retval = ext2fs_get_array(2, fs->blocksize, &buf);
if (retval)
return retval;
block_buf = buf;
Index: e2fsprogs-1.40.2/lib/ext2fs/bmove.c
===================================================================
--- e2fsprogs-1.40.2.orig/lib/ext2fs/bmove.c
+++ e2fsprogs-1.40.2/lib/ext2fs/bmove.c
@@ -108,7 +108,7 @@ errcode_t ext2fs_move_blocks(ext2_filsys
pb.alloc_map = alloc_map ? alloc_map : fs->block_map;
pb.flags = flags;
- retval = ext2fs_get_mem(fs->blocksize * 4, &block_buf);
+ retval = ext2fs_get_array(4, fs->blocksize, &block_buf);
if (retval)
return retval;
pb.buf = block_buf + fs->blocksize * 3;
Index: e2fsprogs-1.40.2/lib/ext2fs/brel_ma.c
===================================================================
--- e2fsprogs-1.40.2.orig/lib/ext2fs/brel_ma.c
+++ e2fsprogs-1.40.2/lib/ext2fs/brel_ma.c
@@ -75,7 +75,8 @@ errcode_t ext2fs_brel_memarray_create(ch
size = (size_t) (sizeof(struct ext2_block_relocate_entry) *
(max_block+1));
- retval = ext2fs_get_mem(size, &ma->entries);
+ retval = ext2fs_get_array(max_block+1,
+ sizeof(struct ext2_block_relocate_entry), &ma->entries);
if (retval)
goto errout;
memset(ma->entries, 0, size);
Index: e2fsprogs-1.40.2/lib/ext2fs/closefs.c
===================================================================
--- e2fsprogs-1.40.2.orig/lib/ext2fs/closefs.c
+++ e2fsprogs-1.40.2/lib/ext2fs/closefs.c
@@ -226,8 +226,7 @@ errcode_t ext2fs_flush(ext2_filsys fs)
retval = ext2fs_get_mem(SUPERBLOCK_SIZE, &super_shadow);
if (retval)
goto errout;
- retval = ext2fs_get_mem((size_t)(fs->blocksize *
- fs->desc_blocks),
+ retval = ext2fs_get_array(fs->blocksize, fs->desc_blocks,
&group_shadow);
if (retval)
goto errout;
Index: e2fsprogs-1.40.2/lib/ext2fs/dblist.c
===================================================================
--- e2fsprogs-1.40.2.orig/lib/ext2fs/dblist.c
+++ e2fsprogs-1.40.2/lib/ext2fs/dblist.c
@@ -85,7 +85,8 @@ static errcode_t make_dblist(ext2_filsys
}
len = (size_t) sizeof(struct ext2_db_entry) * dblist->size;
dblist->count = count;
- retval = ext2fs_get_mem(len, &dblist->list);
+ retval = ext2fs_get_array(dblist->size, sizeof(struct ext2_db_entry),
+ &dblist->list);
if (retval)
goto cleanup;
Index: e2fsprogs-1.40.2/lib/ext2fs/dupfs.c
===================================================================
--- e2fsprogs-1.40.2.orig/lib/ext2fs/dupfs.c
+++ e2fsprogs-1.40.2/lib/ext2fs/dupfs.c
@@ -59,7 +59,7 @@ errcode_t ext2fs_dup_handle(ext2_filsys
goto errout;
memcpy(fs->orig_super, src->orig_super, SUPERBLOCK_SIZE);
- retval = ext2fs_get_mem((size_t) fs->desc_blocks * fs->blocksize,
+ retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize,
&fs->group_desc);
if (retval)
goto errout;
Index: e2fsprogs-1.40.2/lib/ext2fs/ext2fs.h
===================================================================
--- e2fsprogs-1.40.2.orig/lib/ext2fs/ext2fs.h
+++ e2fsprogs-1.40.2/lib/ext2fs/ext2fs.h
@@ -965,6 +965,7 @@ extern errcode_t ext2fs_write_bb_FILE(ex
/* inline functions */
extern errcode_t ext2fs_get_mem(unsigned long size, void *ptr);
+extern errcode_t ext2fs_get_array(unsigned long count, unsigned long size, void *ptr);
extern errcode_t ext2fs_free_mem(void *ptr);
extern errcode_t ext2fs_resize_mem(unsigned long old_size,
unsigned long size, void *ptr);
@@ -1018,6 +1019,12 @@ _INLINE_ errcode_t ext2fs_get_mem(unsign
memcpy(ptr, &pp, sizeof (pp));
return 0;
}
+_INLINE_ errcode_t ext2fs_get_array(unsigned long count, unsigned long size, void *ptr)
+{
+ if (count && (-1UL)/count<size)
+ return EXT2_ET_NO_MEMORY; //maybe define EXT2_ET_OVERFLOW ?
+ return ext2fs_get_mem(count*size, ptr);
+}
/*
* Free memory
Index: e2fsprogs-1.40.2/lib/ext2fs/fileio.c
===================================================================
--- e2fsprogs-1.40.2.orig/lib/ext2fs/fileio.c
+++ e2fsprogs-1.40.2/lib/ext2fs/fileio.c
@@ -65,7 +65,7 @@ errcode_t ext2fs_file_open2(ext2_filsys
goto fail;
}
- retval = ext2fs_get_mem(fs->blocksize * 3, &file->buf);
+ retval = ext2fs_get_array(3, fs->blocksize, &file->buf);
if (retval)
goto fail;
Index: e2fsprogs-1.40.2/lib/ext2fs/icount.c
===================================================================
--- e2fsprogs-1.40.2.orig/lib/ext2fs/icount.c
+++ e2fsprogs-1.40.2/lib/ext2fs/icount.c
@@ -237,7 +237,8 @@ errcode_t ext2fs_create_icount2(ext2_fil
printf("Icount allocated %u entries, %d bytes.\n",
icount->size, bytes);
#endif
- retval = ext2fs_get_mem(bytes, &icount->list);
+ retval = ext2fs_get_array(icount->size, sizeof(struct ext2_icount_el),
+ &icount->list);
if (retval)
goto errout;
memset(icount->list, 0, bytes);
Index: e2fsprogs-1.40.2/lib/ext2fs/initialize.c
===================================================================
--- e2fsprogs-1.40.2.orig/lib/ext2fs/initialize.c
+++ e2fsprogs-1.40.2/lib/ext2fs/initialize.c
@@ -349,7 +349,7 @@ ipg_retry:
ext2fs_free_mem(&buf);
- retval = ext2fs_get_mem((size_t) fs->desc_blocks * fs->blocksize,
+ retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize,
&fs->group_desc);
if (retval)
goto cleanup;
Index: e2fsprogs-1.40.2/lib/ext2fs/inode.c
===================================================================
--- e2fsprogs-1.40.2.orig/lib/ext2fs/inode.c
+++ e2fsprogs-1.40.2/lib/ext2fs/inode.c
@@ -90,9 +90,9 @@ static errcode_t create_icache(ext2_fils
fs->icache->cache_last = -1;
fs->icache->cache_size = 4;
fs->icache->refcount = 1;
- retval = ext2fs_get_mem(sizeof(struct ext2_inode_cache_ent)
- * fs->icache->cache_size,
- &fs->icache->cache);
+ retval = ext2fs_get_array(fs->icache->cache_size,
+ sizeof(struct ext2_inode_cache_ent),
+ &fs->icache->cache);
if (retval) {
ext2fs_free_mem(&fs->icache->buffer);
ext2fs_free_mem(&fs->icache);
@@ -146,8 +146,8 @@ errcode_t ext2fs_open_inode_scan(ext2_fi
group_desc[scan->current_group].bg_inode_table;
scan->inodes_left = EXT2_INODES_PER_GROUP(scan->fs->super);
scan->blocks_left = scan->fs->inode_blocks_per_group;
- retval = ext2fs_get_mem((size_t) (scan->inode_buffer_blocks *
- fs->blocksize),
+ retval = ext2fs_get_array(scan->inode_buffer_blocks,
+ fs->blocksize,
&scan->inode_buffer);
scan->done_group = 0;
scan->done_group_data = 0;
Index: e2fsprogs-1.40.2/lib/ext2fs/irel_ma.c
===================================================================
--- e2fsprogs-1.40.2.orig/lib/ext2fs/irel_ma.c
+++ e2fsprogs-1.40.2/lib/ext2fs/irel_ma.c
@@ -90,21 +90,24 @@ errcode_t ext2fs_irel_memarray_create(ch
irel->priv_data = ma;
size = (size_t) (sizeof(ext2_ino_t) * (max_inode+1));
- retval = ext2fs_get_mem(size, &ma->orig_map);
+ retval = ext2fs_get_array(max_inode+1, sizeof(ext2_ino_t),
+ &ma->orig_map);
if (retval)
goto errout;
memset(ma->orig_map, 0, size);
size = (size_t) (sizeof(struct ext2_inode_relocate_entry) *
(max_inode+1));
- retval = ext2fs_get_mem(size, &ma->entries);
+ retval = ext2fs_get_array((max_inode+1,
+ sizeof(struct ext2_inode_relocate_entry), &ma->entries);
if (retval)
goto errout;
memset(ma->entries, 0, size);
size = (size_t) (sizeof(struct inode_reference_entry) *
(max_inode+1));
- retval = ext2fs_get_mem(size, &ma->ref_entries);
+ retval = ext2fs_get_mem(max_inode+1,
+ sizeof(struct inode_reference_entry), &ma->ref_entries);
if (retval)
goto errout;
memset(ma->ref_entries, 0, size);
@@ -249,7 +252,8 @@ static errcode_t ima_add_ref(ext2_irel i
if (ref_ent->refs == 0) {
size = (size_t) ((sizeof(struct ext2_inode_reference) *
ent->max_refs));
- retval = ext2fs_get_mem(size, &ref_ent->refs);
+ retval = ext2fs_get_array(ent->max_refs,
+ sizeof(struct ext2_inode_reference), &ref_ent->refs);
if (retval)
return retval;
memset(ref_ent->refs, 0, size);
Index: e2fsprogs-1.40.2/lib/ext2fs/openfs.c
===================================================================
--- e2fsprogs-1.40.2.orig/lib/ext2fs/openfs.c
+++ e2fsprogs-1.40.2/lib/ext2fs/openfs.c
@@ -276,7 +276,7 @@ errcode_t ext2fs_open2(const char *name,
blocks_per_group);
fs->desc_blocks = ext2fs_div_ceil(fs->group_desc_count,
EXT2_DESC_PER_BLOCK(fs->super));
- retval = ext2fs_get_mem(fs->desc_blocks * fs->blocksize,
+ retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize,
&fs->group_desc);
if (retval)
goto cleanup;
Index: e2fsprogs-1.40.2/lib/ext2fs/res_gdt.c
===================================================================
--- e2fsprogs-1.40.2.orig/lib/ext2fs/res_gdt.c
+++ e2fsprogs-1.40.2/lib/ext2fs/res_gdt.c
@@ -73,7 +73,7 @@ errcode_t ext2fs_create_resize_inode(ext
sb = fs->super;
- retval = ext2fs_get_mem(2 * fs->blocksize, &dindir_buf);
+ retval = ext2fs_get_array(2, fs->blocksize, &dindir_buf);
if (retval)
goto out_free;
gdt_buf = (__u32 *)((char *)dindir_buf + fs->blocksize);

8
e2fsprogs.spec
View File

@ -4,7 +4,7 @@
Summary: Utilities for managing the second and third extended (ext2/ext3) filesystems
Name: e2fsprogs
Version: 1.40.2
Release: 13%{?dist}
Release: 14%{?dist}
# License based on upstream-modified COPYING file,
# which clearly states "V2" intent.
License: GPLv2
@ -24,6 +24,7 @@ Patch65: e2fsprogs-1.40.2-fix-open-create-modes.patch
Patch66: e2fsprogs-1.40.2-protect-open-ops.patch
Patch67: e2fsprogs-1.40.2-blkid-FAT-magic-not-on-strict-position.patch
Patch68: e2fsprogs-1.40.2-blkid-squashfs.patch
Patch69: e2fsprogs-1.40.2-integer-overflows.patch
Url: http://e2fsprogs.sourceforge.net/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -107,6 +108,8 @@ also want to install e2fsprogs.
%patch67 -p1 -b .blkid-fat
# detect squashfs in libblkid (#305151)
%patch68 -p1 -b .blkid-squashfs
# prevent integer overflows (#414591 / CVE-2007-5497)
%patch69 -p1 -b .overflows
%build
aclocal
@ -268,6 +271,9 @@ exit 0
%{_mandir}/man3/uuid_unparse.3*
%changelog
* Tue Dec 11 2007 Eric Sandeen <esandeen@redhat.com> 1.40.2-14
- Fix integer overflows (#414591 / CVE-2007-5497)
* Tue Dec 4 2007 Stepan Kasal <skasal@redhat.com> 1.40.2-13
- The -devel package now requires device-mapper-devel, to match
the dependency in blkid.pc (#410791)