summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnuj Mittal <anuj.mittal@intel.com>2020-03-21 19:57:23 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-04-08 23:07:12 (GMT)
commit548ff2152478533ba16901867837fd443f3a5610 (patch)
tree6c2cf651d58c54e4c13ddf43ebce2c274cdc8049
parent37a64657e60bda8e949694469518c1b0111e364a (diff)
downloadpoky-548ff2152478533ba16901867837fd443f3a5610.tar.gz
e2fsprogs: fix CVE-2019-5188
Also see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948508 (From OE-Core rev: 09bdcef183d885025da6aa87a7c2bf7e8268774e) (From OE-Core rev: f454e207eac6fb85eb217554e13c2d3e69f41522) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch49
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch57
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs_1.44.5.bb2
3 files changed, 108 insertions, 0 deletions
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch
new file mode 100644
index 0000000..ba4e3a3
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch
@@ -0,0 +1,49 @@
1From 71ba13755337e19c9a826dfc874562a36e1b24d3 Mon Sep 17 00:00:00 2001
2From: Theodore Ts'o <tytso@mit.edu>
3Date: Thu, 19 Dec 2019 19:45:06 -0500
4Subject: [PATCH] e2fsck: don't try to rehash a deleted directory
5
6If directory has been deleted in pass1[bcd] processing, then we
7shouldn't try to rehash the directory in pass 3a when we try to
8rehash/reoptimize directories.
9
10Signed-off-by: Theodore Ts'o <tytso@mit.edu>
11
12Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=71ba13755337e19c9a826dfc874562a36e1b24d3]
13Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
14---
15 e2fsck/pass1b.c | 4 ++++
16 e2fsck/rehash.c | 2 ++
17 2 files changed, 6 insertions(+)
18
19diff --git a/e2fsck/pass1b.c b/e2fsck/pass1b.c
20index 5693b9cf..bca701ca 100644
21--- a/e2fsck/pass1b.c
22+++ b/e2fsck/pass1b.c
23@@ -705,6 +705,10 @@ static void delete_file(e2fsck_t ctx, ext2_ino_t ino,
24 fix_problem(ctx, PR_1B_BLOCK_ITERATE, &pctx);
25 if (ctx->inode_bad_map)
26 ext2fs_unmark_inode_bitmap2(ctx->inode_bad_map, ino);
27+ if (ctx->inode_reg_map)
28+ ext2fs_unmark_inode_bitmap2(ctx->inode_reg_map, ino);
29+ ext2fs_unmark_inode_bitmap2(ctx->inode_dir_map, ino);
30+ ext2fs_unmark_inode_bitmap2(ctx->inode_used_map, ino);
31 ext2fs_inode_alloc_stats2(fs, ino, -1, LINUX_S_ISDIR(dp->inode.i_mode));
32 quota_data_sub(ctx->qctx, &dp->inode, ino,
33 pb.dup_blocks * fs->blocksize);
34diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
35index 3dd1e941..2c908be0 100644
36--- a/e2fsck/rehash.c
37+++ b/e2fsck/rehash.c
38@@ -1028,6 +1028,8 @@ void e2fsck_rehash_directories(e2fsck_t ctx)
39 if (!ext2fs_u32_list_iterate(iter, &ino))
40 break;
41 }
42+ if (!ext2fs_test_inode_bitmap2(ctx->inode_dir_map, ino))
43+ continue;
44
45 pctx.dir = ino;
46 if (first) {
47--
482.24.1
49
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch
new file mode 100644
index 0000000..de4bce0
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch
@@ -0,0 +1,57 @@
1From 8dd73c149f418238f19791f9d666089ef9734dff Mon Sep 17 00:00:00 2001
2From: Theodore Ts'o <tytso@mit.edu>
3Date: Thu, 19 Dec 2019 19:37:34 -0500
4Subject: [PATCH] e2fsck: abort if there is a corrupted directory block when
5 rehashing
6
7In e2fsck pass 3a, when we are rehashing directories, at least in
8theory, all of the directories should have had corruptions with
9respect to directory entry structure fixed. However, it's possible
10(for example, if the user declined a fix) that we can reach this stage
11of processing with a corrupted directory entries.
12
13So check for that case and don't try to process a corrupted directory
14block so we don't run into trouble in mutate_name() if there is a
15zero-length file name.
16
17Addresses: TALOS-2019-0973
18Addresses: CVE-2019-5188
19Signed-off-by: Theodore Ts'o <tytso@mit.edu>
20
21CVE: CVE-2019-5188
22Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
23Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=8dd73c149f418238f19791f9d666089ef9734dff]
24---
25 e2fsck/rehash.c | 9 +++++++++
26 1 file changed, 9 insertions(+)
27
28diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
29index a5fc1be1..3dd1e941 100644
30--- a/e2fsck/rehash.c
31+++ b/e2fsck/rehash.c
32@@ -160,6 +160,10 @@ static int fill_dir_block(ext2_filsys fs,
33 dir_offset += rec_len;
34 if (dirent->inode == 0)
35 continue;
36+ if ((name_len) == 0) {
37+ fd->err = EXT2_ET_DIR_CORRUPTED;
38+ return BLOCK_ABORT;
39+ }
40 if (!fd->compress && (name_len == 1) &&
41 (dirent->name[0] == '.'))
42 continue;
43@@ -401,6 +405,11 @@ static int duplicate_search_and_fix(e2fsck_t ctx, ext2_filsys fs,
44 continue;
45 }
46 new_len = ext2fs_dirent_name_len(ent->dir);
47+ if (new_len == 0) {
48+ /* should never happen */
49+ ext2fs_unmark_valid(fs);
50+ continue;
51+ }
52 memcpy(new_name, ent->dir->name, new_len);
53 mutate_name(new_name, &new_len);
54 for (j=0; j < fd->num_array; j++) {
55--
562.24.1
57
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.44.5.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.44.5.bb
index 0695ee9..dea481d 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.44.5.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.44.5.bb
@@ -7,6 +7,8 @@ SRC_URI += "file://remove.ldconfig.call.patch \
7 file://mkdir_p.patch \ 7 file://mkdir_p.patch \
8 file://0001-misc-create_inode.c-set-dir-s-mode-correctly.patch \ 8 file://0001-misc-create_inode.c-set-dir-s-mode-correctly.patch \
9 file://0001-create_inode-fix-copying-large-files.patch \ 9 file://0001-create_inode-fix-copying-large-files.patch \
10 file://CVE-2019-5188.patch \
11 file://0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch \
10 " 12 "
11 13
12SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \ 14SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \