summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2015-04-29 09:02:22 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-05-01 11:34:52 (GMT)
commit90a33dde44446185d41bf6eb5e7aa27faacbc936 (patch)
tree6e4bc0a5c7070122b43c4a118d6ae2aaccc97d59
parentb9da1f441bbd8ef2c4bbcd2aabd2d42b65757827 (diff)
downloadpoky-90a33dde44446185d41bf6eb5e7aa27faacbc936.tar.gz
e2fsprogs: CVE-2015-0247
Fixes input sanitization errors. References http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4 http://www.ocert.org/advisories/ocert-2015-002.html (From OE-Core rev: f3e5b052689b2eba30e26903e964791f92241e65) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2015-0247.patch58
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb1
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2015-0247.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2015-0247.patch
new file mode 100644
index 0000000..4de67c9
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2015-0247.patch
@@ -0,0 +1,58 @@
1From f66e6ce4446738c2c7f43d41988a3eb73347e2f5 Mon Sep 17 00:00:00 2001
2From: Theodore Ts'o <tytso@mit.edu>
3Date: Sat, 9 Aug 2014 12:24:54 -0400
4Subject: libext2fs: avoid buffer overflow if s_first_meta_bg is too big
5
6If s_first_meta_bg is greater than the of number block group
7descriptor blocks, then reading or writing the block group descriptors
8will end up overruning the memory buffer allocated for the
9descriptors. Fix this by limiting first_meta_bg to no more than
10fs->desc_blocks. This doesn't correct the bad s_first_meta_bg value,
11but it avoids causing the e2fsprogs userspace programs from
12potentially crashing.
13
14Fixes CVE-2015-0247
15Upstream-Status: Backport
16
17Signed-off-by: Theodore Ts'o <tytso@mit.edu>
18Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
19
20diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c
21index 4599eef..1f99113 100644
22--- a/lib/ext2fs/closefs.c
23+++ b/lib/ext2fs/closefs.c
24@@ -344,9 +344,11 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
25 * superblocks and group descriptors.
26 */
27 group_ptr = (char *) group_shadow;
28- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
29+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
30 old_desc_blocks = fs->super->s_first_meta_bg;
31- else
32+ if (old_desc_blocks > fs->super->s_first_meta_bg)
33+ old_desc_blocks = fs->desc_blocks;
34+ } else
35 old_desc_blocks = fs->desc_blocks;
36
37 ext2fs_numeric_progress_init(fs, &progress, NULL,
38diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c
39index a1a3517..ba501e6 100644
40--- a/lib/ext2fs/openfs.c
41+++ b/lib/ext2fs/openfs.c
42@@ -378,9 +378,11 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
43 #ifdef WORDS_BIGENDIAN
44 groups_per_block = EXT2_DESC_PER_BLOCK(fs->super);
45 #endif
46- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
47+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
48 first_meta_bg = fs->super->s_first_meta_bg;
49- else
50+ if (first_meta_bg > fs->desc_blocks)
51+ first_meta_bg = fs->desc_blocks;
52+ } else
53 first_meta_bg = fs->desc_blocks;
54 if (first_meta_bg) {
55 retval = io_channel_read_blk(fs->io, group_block +
56--
57cgit v0.10.2
58
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb
index 2bdd724..a29ce5b 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb
@@ -18,6 +18,7 @@ SRC_URI += "file://acinclude.m4 \
18 file://0011-mke2fs.8.in-update-the-manual-for-the-d-option.patch \ 18 file://0011-mke2fs.8.in-update-the-manual-for-the-d-option.patch \
19 file://0001-e2fsprogs-fix-cross-compilation-problem.patch \ 19 file://0001-e2fsprogs-fix-cross-compilation-problem.patch \
20 file://misc-mke2fs.c-return-error-when-failed-to-populate-fs.patch \ 20 file://misc-mke2fs.c-return-error-when-failed-to-populate-fs.patch \
21 file://CVE-2015-0247.patch \
21" 22"
22 23
23SRC_URI[md5sum] = "3f8e41e63b432ba114b33f58674563f7" 24SRC_URI[md5sum] = "3f8e41e63b432ba114b33f58674563f7"