summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2015-03-12 11:01:01 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-03-16 17:42:07 +0000
commit4811b04f120f0a90d047feed239caa37c7008cb9 (patch)
tree9ec7d4e332e705344bda48eda5a841075dd62a3e
parent59e01b0262e22881aacec3665e168765372d155c (diff)
downloadpoky-4811b04f120f0a90d047feed239caa37c7008cb9.tar.gz
e2fsprogs: CVE-2015-0247
Fixes a heap buffer overflow in lib/ext2fs/openfs.c which allows a trivial arbitrary memory write under certain conditions. References http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4 http://www.ocert.org/advisories/ocert-2015-002.html (From OE-Core rev: 572437720b6698a3a10627fcd9654ef10f827836) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2015-0247.patch58
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb1
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2015-0247.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2015-0247.patch
new file mode 100644
index 0000000000..4de67c9704
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2015-0247.patch
@@ -0,0 +1,58 @@
1From f66e6ce4446738c2c7f43d41988a3eb73347e2f5 Mon Sep 17 00:00:00 2001
2From: Theodore Ts'o <tytso@mit.edu>
3Date: Sat, 9 Aug 2014 12:24:54 -0400
4Subject: libext2fs: avoid buffer overflow if s_first_meta_bg is too big
5
6If s_first_meta_bg is greater than the of number block group
7descriptor blocks, then reading or writing the block group descriptors
8will end up overruning the memory buffer allocated for the
9descriptors. Fix this by limiting first_meta_bg to no more than
10fs->desc_blocks. This doesn't correct the bad s_first_meta_bg value,
11but it avoids causing the e2fsprogs userspace programs from
12potentially crashing.
13
14Fixes CVE-2015-0247
15Upstream-Status: Backport
16
17Signed-off-by: Theodore Ts'o <tytso@mit.edu>
18Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
19
20diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c
21index 4599eef..1f99113 100644
22--- a/lib/ext2fs/closefs.c
23+++ b/lib/ext2fs/closefs.c
24@@ -344,9 +344,11 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
25 * superblocks and group descriptors.
26 */
27 group_ptr = (char *) group_shadow;
28- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
29+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
30 old_desc_blocks = fs->super->s_first_meta_bg;
31- else
32+ if (old_desc_blocks > fs->super->s_first_meta_bg)
33+ old_desc_blocks = fs->desc_blocks;
34+ } else
35 old_desc_blocks = fs->desc_blocks;
36
37 ext2fs_numeric_progress_init(fs, &progress, NULL,
38diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c
39index a1a3517..ba501e6 100644
40--- a/lib/ext2fs/openfs.c
41+++ b/lib/ext2fs/openfs.c
42@@ -378,9 +378,11 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
43 #ifdef WORDS_BIGENDIAN
44 groups_per_block = EXT2_DESC_PER_BLOCK(fs->super);
45 #endif
46- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
47+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
48 first_meta_bg = fs->super->s_first_meta_bg;
49- else
50+ if (first_meta_bg > fs->desc_blocks)
51+ first_meta_bg = fs->desc_blocks;
52+ } else
53 first_meta_bg = fs->desc_blocks;
54 if (first_meta_bg) {
55 retval = io_channel_read_blk(fs->io, group_block +
56--
57cgit v0.10.2
58
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb
index 656793f9ab..87e06e3b58 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb
@@ -20,6 +20,7 @@ SRC_URI += "file://acinclude.m4 \
20 file://0001-e2fsprogs-fix-cross-compilation-problem.patch \ 20 file://0001-e2fsprogs-fix-cross-compilation-problem.patch \
21 file://misc-mke2fs.c-return-error-when-failed-to-populate-fs.patch \ 21 file://misc-mke2fs.c-return-error-when-failed-to-populate-fs.patch \
22 file://cache_inode.patch \ 22 file://cache_inode.patch \
23 file://CVE-2015-0247.patch \
23" 24"
24 25
25SRC_URI[md5sum] = "3f8e41e63b432ba114b33f58674563f7" 26SRC_URI[md5sum] = "3f8e41e63b432ba114b33f58674563f7"