summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2015-03-12 09:35:45 +0100
committerTudor Florea <tudor.florea@enea.com>2015-07-06 20:19:39 +0200
commita96624862c157844f02e5353e45be45c8f15881b (patch)
tree9c4cd503f23a1db512d065e73f2838d9601fd47a
parent13e4abbce92f9b7630563a0b7f9d8be6db3919c9 (diff)
downloadpoky-a96624862c157844f02e5353e45be45c8f15881b.tar.gz
e2fsprogs: CVE-2015-0247
Fixes input sanitization errors. References http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4 http://www.ocert.org/advisories/ocert-2015-002.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2015-0247.patch58
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb1
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2015-0247.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2015-0247.patch
new file mode 100644
index 0000000000..4de67c9704
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2015-0247.patch
@@ -0,0 +1,58 @@
1From f66e6ce4446738c2c7f43d41988a3eb73347e2f5 Mon Sep 17 00:00:00 2001
2From: Theodore Ts'o <tytso@mit.edu>
3Date: Sat, 9 Aug 2014 12:24:54 -0400
4Subject: libext2fs: avoid buffer overflow if s_first_meta_bg is too big
5
6If s_first_meta_bg is greater than the of number block group
7descriptor blocks, then reading or writing the block group descriptors
8will end up overruning the memory buffer allocated for the
9descriptors. Fix this by limiting first_meta_bg to no more than
10fs->desc_blocks. This doesn't correct the bad s_first_meta_bg value,
11but it avoids causing the e2fsprogs userspace programs from
12potentially crashing.
13
14Fixes CVE-2015-0247
15Upstream-Status: Backport
16
17Signed-off-by: Theodore Ts'o <tytso@mit.edu>
18Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
19
20diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c
21index 4599eef..1f99113 100644
22--- a/lib/ext2fs/closefs.c
23+++ b/lib/ext2fs/closefs.c
24@@ -344,9 +344,11 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
25 * superblocks and group descriptors.
26 */
27 group_ptr = (char *) group_shadow;
28- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
29+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
30 old_desc_blocks = fs->super->s_first_meta_bg;
31- else
32+ if (old_desc_blocks > fs->super->s_first_meta_bg)
33+ old_desc_blocks = fs->desc_blocks;
34+ } else
35 old_desc_blocks = fs->desc_blocks;
36
37 ext2fs_numeric_progress_init(fs, &progress, NULL,
38diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c
39index a1a3517..ba501e6 100644
40--- a/lib/ext2fs/openfs.c
41+++ b/lib/ext2fs/openfs.c
42@@ -378,9 +378,11 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
43 #ifdef WORDS_BIGENDIAN
44 groups_per_block = EXT2_DESC_PER_BLOCK(fs->super);
45 #endif
46- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
47+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
48 first_meta_bg = fs->super->s_first_meta_bg;
49- else
50+ if (first_meta_bg > fs->desc_blocks)
51+ first_meta_bg = fs->desc_blocks;
52+ } else
53 first_meta_bg = fs->desc_blocks;
54 if (first_meta_bg) {
55 retval = io_channel_read_blk(fs->io, group_block +
56--
57cgit v0.10.2
58
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb
index 2bdd7246a2..a29ce5b71f 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb
@@ -18,6 +18,7 @@ SRC_URI += "file://acinclude.m4 \
18 file://0011-mke2fs.8.in-update-the-manual-for-the-d-option.patch \ 18 file://0011-mke2fs.8.in-update-the-manual-for-the-d-option.patch \
19 file://0001-e2fsprogs-fix-cross-compilation-problem.patch \ 19 file://0001-e2fsprogs-fix-cross-compilation-problem.patch \
20 file://misc-mke2fs.c-return-error-when-failed-to-populate-fs.patch \ 20 file://misc-mke2fs.c-return-error-when-failed-to-populate-fs.patch \
21 file://CVE-2015-0247.patch \
21" 22"
22 23
23SRC_URI[md5sum] = "3f8e41e63b432ba114b33f58674563f7" 24SRC_URI[md5sum] = "3f8e41e63b432ba114b33f58674563f7"