packages/e2fsprogs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!91 e2fsprogs: fix CVE-2022-1304

Browse Source 
From: @liuzhiqiang26 
Reviewed-by: @volcanodragon 
Signed-off-by: @volcanodragon
This commit is contained in:
openeuler-ci-bot 2022-05-28 03:43:00 +00:00 committed by Gitee
commit 192cb786ab
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 60 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
0015-libext2fs-add-sanity-check-to-extent-manipulation.patch Normal file
View File

@ -0,0 +1,55 @@
From ab51d587bb9b229b1fade1afd02e1574c1ba5c76 Mon Sep 17 00:00:00 2001
From: Lukas Czerner <lczerner@redhat.com>
Date: Thu, 21 Apr 2022 19:31:48 +0200
Subject: [PATCH] libext2fs: add sanity check to extent manipulation
It is possible to have a corrupted extent tree in such a way that a leaf
node contains zero extents in it. Currently if that happens and we try
to traverse the tree we can end up accessing wrong data, or possibly
even uninitialized memory. Make sure we don't do that.
Additionally make sure that we have a sane number of bytes passed to
memmove() in ext2fs_extent_delete().
Note that e2fsck is currently unable to spot and fix such corruption in
pass1.
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reported-by: Nils Bars <nils_bars@t-online.de>
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2068113
Addresses: CVE-2022-1304
Addresses-Debian-Bug: #1010263
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
lib/ext2fs/extent.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c
index b324c7b..1a206a1 100644
--- a/lib/ext2fs/extent.c
+++ b/lib/ext2fs/extent.c
@@ -495,6 +495,10 @@ retry:
ext2fs_le16_to_cpu(eh->eh_entries);
newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max);
+ /* Make sure there is at least one extent present */
+ if (newpath->left <= 0)
+ return EXT2_ET_EXTENT_NO_DOWN;
+
if (path->left > 0) {
ix++;
newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block);
@@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags)
cp = path->curr;
+ /* Sanity check before memmove() */
+ if (path->left < 0)
+ return EXT2_ET_EXTENT_LEAF_BAD;
+
if (path->left) {
memmove(cp, cp + sizeof(struct ext3_extent_idx),
path->left * sizeof(struct ext3_extent_idx));
--
1.8.3.1

6
e2fsprogs.spec
View File

@ -1,6 +1,6 @@
Name: e2fsprogs Name: e2fsprogs
Version: 1.46.4 Version: 1.46.4
Release: 9 Release: 10
Summary: Second extended file system management tools Summary: Second extended file system management tools
License: GPLv2+ and LGPLv2 and MIT License: GPLv2+ and LGPLv2 and MIT
URL: http://e2fsprogs.sourceforge.net/ URL: http://e2fsprogs.sourceforge.net/
@ -20,6 +20,7 @@ Patch11: 0011-libext2fs-don-t-old-the-CACHE_MTX-while-doing-I-O.patch
Patch12: 0012-tests-skip-m_rootdir_acl-if-selinux-is-not-disabled.patch Patch12: 0012-tests-skip-m_rootdir_acl-if-selinux-is-not-disabled.patch
Patch13: 0013-e2fsck-do-not-clean-up-file-acl-if-the-inode-is-trun.patch Patch13: 0013-e2fsck-do-not-clean-up-file-acl-if-the-inode-is-trun.patch
Patch14: 0014-e2fsck-handle-level-is-overflow-in-ext2fs_extent_get.patch Patch14: 0014-e2fsck-handle-level-is-overflow-in-ext2fs_extent_get.patch
Patch15: 0015-libext2fs-add-sanity-check-to-extent-manipulation.patch
BuildRequires: gcc pkgconfig texinfo BuildRequires: gcc pkgconfig texinfo
@ -142,6 +143,9 @@ exit 0
%{_mandir}/man8/* %{_mandir}/man8/*
%changelog %changelog
* Sat May 28 2022 Zhiqiang Liu <liuzhiqiang26@huawei.com> - 1.46.4-10
- fix CVE-2022-1304
* Fri May 20 2022 zhanchengbin <zhanchengbin1@huawei.com> - 1.46.4-9 * Fri May 20 2022 zhanchengbin <zhanchengbin1@huawei.com> - 1.46.4-9
- e2fsck: handle->level is overflow in ext2fs_extent_get. - e2fsck: handle->level is overflow in ext2fs_extent_get.