e2fsprogs: fix CVE-2019-5188

Also see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948508 (From OE-Core rev: 09bdcef183d885025da6aa87a7c2bf7e8268774e) (From OE-Core rev: f454e207eac6fb85eb217554e13c2d3e69f41522) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Anuj Mittal <anuj.mittal@intel.com> 2020-03-21 21:57:23 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-04-09 00:07:12 +0100
commit: 548ff2152478533ba16901867837fd443f3a5610 (patch)
tree: 6c2cf651d58c54e4c13ddf43ebce2c274cdc8049
parent: 37a64657e60bda8e949694469518c1b0111e364a (diff)
download: poky-548ff2152478533ba16901867837fd443f3a5610.tar.gz
3 files changed, 108 insertions, 0 deletions
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch
new file mode 100644
index 0000000000..ba4e3a3c97
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch
@@ -0,0 +1,49 @@
+From 71ba13755337e19c9a826dfc874562a36e1b24d3 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 19 Dec 2019 19:45:06 -0500
+Subject: [PATCH] e2fsck: don't try to rehash a deleted directory
+If directory has been deleted in pass1[bcd] processing, then we
+shouldn't try to rehash the directory in pass 3a when we try to
+rehash/reoptimize directories.
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=71ba13755337e19c9a826dfc874562a36e1b24d3]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ e2fsck/pass1b.c | 4 ++++
+ e2fsck/rehash.c | 2 ++
+ 2 files changed, 6 insertions(+)
+diff --git a/e2fsck/pass1b.c b/e2fsck/pass1b.c
+index 5693b9cf..bca701ca 100644
+--- a/e2fsck/pass1b.c
+++ b/e2fsck/pass1b.c
+@@ -705,6 +705,10 @@ static void delete_file(e2fsck_t ctx, ext2_ino_t ino,
+                fix_problem(ctx, PR_1B_BLOCK_ITERATE, &pctx);
+        if (ctx->inode_bad_map)
+                ext2fs_unmark_inode_bitmap2(ctx->inode_bad_map, ino);
+       if (ctx->inode_reg_map)
+               ext2fs_unmark_inode_bitmap2(ctx->inode_reg_map, ino);
+       ext2fs_unmark_inode_bitmap2(ctx->inode_dir_map, ino);
+       ext2fs_unmark_inode_bitmap2(ctx->inode_used_map, ino);
+        ext2fs_inode_alloc_stats2(fs, ino, -1, LINUX_S_ISDIR(dp->inode.i_mode));
+        quota_data_sub(ctx->qctx, &dp->inode, ino,
+                       pb.dup_blocks * fs->blocksize);
+diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
+index 3dd1e941..2c908be0 100644
+--- a/e2fsck/rehash.c
+++ b/e2fsck/rehash.c
+@@ -1028,6 +1028,8 @@ void e2fsck_rehash_directories(e2fsck_t ctx)
+                        if (!ext2fs_u32_list_iterate(iter, &ino))
+                                break;
+                }
+               if (!ext2fs_test_inode_bitmap2(ctx->inode_dir_map, ino))
+                       continue;
+ 
+                pctx.dir = ino;
+                if (first) {
+-- 
+2.24.1
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch
new file mode 100644
index 0000000000..de4bce0037
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch
@@ -0,0 +1,57 @@
+From 8dd73c149f418238f19791f9d666089ef9734dff Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 19 Dec 2019 19:37:34 -0500
+Subject: [PATCH] e2fsck: abort if there is a corrupted directory block when
+ rehashing
+In e2fsck pass 3a, when we are rehashing directories, at least in
+theory, all of the directories should have had corruptions with
+respect to directory entry structure fixed.  However, it's possible
+(for example, if the user declined a fix) that we can reach this stage
+of processing with a corrupted directory entries.
+So check for that case and don't try to process a corrupted directory
+block so we don't run into trouble in mutate_name() if there is a
+zero-length file name.
+Addresses: TALOS-2019-0973
+Addresses: CVE-2019-5188
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+CVE: CVE-2019-5188
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=8dd73c149f418238f19791f9d666089ef9734dff]
+---
+ e2fsck/rehash.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
+index a5fc1be1..3dd1e941 100644
+--- a/e2fsck/rehash.c
+++ b/e2fsck/rehash.c
+@@ -160,6 +160,10 @@ static int fill_dir_block(ext2_filsys fs,
+                dir_offset += rec_len;
+                if (dirent->inode == 0)
+                        continue;
+               if ((name_len) == 0) {
+                       fd->err = EXT2_ET_DIR_CORRUPTED;
+                       return BLOCK_ABORT;
+               }
+                if (!fd->compress && (name_len == 1) &&
+                    (dirent->name[0] == '.'))
+                        continue;
+@@ -401,6 +405,11 @@ static int duplicate_search_and_fix(e2fsck_t ctx, ext2_filsys fs,
+                        continue;
+                }
+                new_len = ext2fs_dirent_name_len(ent->dir);
+               if (new_len == 0) {
+                        /* should never happen */
+                       ext2fs_unmark_valid(fs);
+                       continue;
+               }
+                memcpy(new_name, ent->dir->name, new_len);
+                mutate_name(new_name, &new_len);
+                for (j=0; j < fd->num_array; j++) {
+-- 
+2.24.1
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.44.5.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.44.5.bb
index 0695ee9dc3..dea481d1b9 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.44.5.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.44.5.bb
@@ -7,6 +7,8 @@ SRC_URI += "file://remove.ldconfig.call.patch \
            file://mkdir_p.patch \
            file://0001-misc-create_inode.c-set-dir-s-mode-correctly.patch \
            file://0001-create_inode-fix-copying-large-files.patch \
+            file://CVE-2019-5188.patch \
+            file://0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch \
            "
 SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \
author	Anuj Mittal <anuj.mittal@intel.com>	2020-03-21 21:57:23 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-04-09 00:07:12 +0100
commit	548ff2152478533ba16901867837fd443f3a5610 (patch)
tree	6c2cf651d58c54e4c13ddf43ebce2c274cdc8049
parent	37a64657e60bda8e949694469518c1b0111e364a (diff)
download	poky-548ff2152478533ba16901867837fd443f3a5610.tar.gz

diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch new file mode 100644 index 0000000000..ba4e3a3c97 --- /dev/null +++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch
@@ -0,0 +1,49 @@
		1	From 71ba13755337e19c9a826dfc874562a36e1b24d3 Mon Sep 17 00:00:00 2001
		2	From: Theodore Ts'o <tytso@mit.edu>
		3	Date: Thu, 19 Dec 2019 19:45:06 -0500
		4	Subject: [PATCH] e2fsck: don't try to rehash a deleted directory
		5
		6	If directory has been deleted in pass1[bcd] processing, then we
		7	shouldn't try to rehash the directory in pass 3a when we try to
		8	rehash/reoptimize directories.
		9
		10	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
		11
		12	Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=71ba13755337e19c9a826dfc874562a36e1b24d3]
		13	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		14	---
		15	e2fsck/pass1b.c \| 4 ++++
		16	e2fsck/rehash.c \| 2 ++
		17	2 files changed, 6 insertions(+)
		18
		19	diff --git a/e2fsck/pass1b.c b/e2fsck/pass1b.c
		20	index 5693b9cf..bca701ca 100644
		21	--- a/e2fsck/pass1b.c
		22	+++ b/e2fsck/pass1b.c
		23	@@ -705,6 +705,10 @@ static void delete_file(e2fsck_t ctx, ext2_ino_t ino,
		24	fix_problem(ctx, PR_1B_BLOCK_ITERATE, &pctx);
		25	if (ctx->inode_bad_map)
		26	ext2fs_unmark_inode_bitmap2(ctx->inode_bad_map, ino);
		27	+ if (ctx->inode_reg_map)
		28	+ ext2fs_unmark_inode_bitmap2(ctx->inode_reg_map, ino);
		29	+ ext2fs_unmark_inode_bitmap2(ctx->inode_dir_map, ino);
		30	+ ext2fs_unmark_inode_bitmap2(ctx->inode_used_map, ino);
		31	ext2fs_inode_alloc_stats2(fs, ino, -1, LINUX_S_ISDIR(dp->inode.i_mode));
		32	quota_data_sub(ctx->qctx, &dp->inode, ino,
		33	pb.dup_blocks * fs->blocksize);
		34	diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
		35	index 3dd1e941..2c908be0 100644
		36	--- a/e2fsck/rehash.c
		37	+++ b/e2fsck/rehash.c
		38	@@ -1028,6 +1028,8 @@ void e2fsck_rehash_directories(e2fsck_t ctx)
		39	if (!ext2fs_u32_list_iterate(iter, &ino))
		40	break;
		41	}
		42	+ if (!ext2fs_test_inode_bitmap2(ctx->inode_dir_map, ino))
		43	+ continue;
		44
		45	pctx.dir = ino;
		46	if (first) {
		47	--
		48	2.24.1
		49


diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch new file mode 100644 index 0000000000..de4bce0037 --- /dev/null +++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch
@@ -0,0 +1,57 @@
		1	From 8dd73c149f418238f19791f9d666089ef9734dff Mon Sep 17 00:00:00 2001
		2	From: Theodore Ts'o <tytso@mit.edu>
		3	Date: Thu, 19 Dec 2019 19:37:34 -0500
		4	Subject: [PATCH] e2fsck: abort if there is a corrupted directory block when
		5	rehashing
		6
		7	In e2fsck pass 3a, when we are rehashing directories, at least in
		8	theory, all of the directories should have had corruptions with
		9	respect to directory entry structure fixed. However, it's possible
		10	(for example, if the user declined a fix) that we can reach this stage
		11	of processing with a corrupted directory entries.
		12
		13	So check for that case and don't try to process a corrupted directory
		14	block so we don't run into trouble in mutate_name() if there is a
		15	zero-length file name.
		16
		17	Addresses: TALOS-2019-0973
		18	Addresses: CVE-2019-5188
		19	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
		20
		21	CVE: CVE-2019-5188
		22	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		23	Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=8dd73c149f418238f19791f9d666089ef9734dff]
		24	---
		25	e2fsck/rehash.c \| 9 +++++++++
		26	1 file changed, 9 insertions(+)
		27
		28	diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
		29	index a5fc1be1..3dd1e941 100644
		30	--- a/e2fsck/rehash.c
		31	+++ b/e2fsck/rehash.c
		32	@@ -160,6 +160,10 @@ static int fill_dir_block(ext2_filsys fs,
		33	dir_offset += rec_len;
		34	if (dirent->inode == 0)
		35	continue;
		36	+ if ((name_len) == 0) {
		37	+ fd->err = EXT2_ET_DIR_CORRUPTED;
		38	+ return BLOCK_ABORT;
		39	+ }
		40	if (!fd->compress && (name_len == 1) &&
		41	(dirent->name[0] == '.'))
		42	continue;
		43	@@ -401,6 +405,11 @@ static int duplicate_search_and_fix(e2fsck_t ctx, ext2_filsys fs,
		44	continue;
		45	}
		46	new_len = ext2fs_dirent_name_len(ent->dir);
		47	+ if (new_len == 0) {
		48	+ /* should never happen */
		49	+ ext2fs_unmark_valid(fs);
		50	+ continue;
		51	+ }
		52	memcpy(new_name, ent->dir->name, new_len);
		53	mutate_name(new_name, &new_len);
		54	for (j=0; j < fd->num_array; j++) {
		55	--
		56	2.24.1
		57


diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.44.5.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.44.5.bb index 0695ee9dc3..dea481d1b9 100644 --- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.44.5.bb +++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.44.5.bb
@@ -7,6 +7,8 @@ SRC_URI += "file://remove.ldconfig.call.patch \
7	file://mkdir_p.patch \	7	file://mkdir_p.patch \
8	file://0001-misc-create_inode.c-set-dir-s-mode-correctly.patch \	8	file://0001-misc-create_inode.c-set-dir-s-mode-correctly.patch \
9	file://0001-create_inode-fix-copying-large-files.patch \	9	file://0001-create_inode-fix-copying-large-files.patch \
		10	file://CVE-2019-5188.patch \
		11	file://0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch \
10	"	12	"
11		13
12	SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \	14	SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \