summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnuj Mittal <anuj.mittal@intel.com>2020-03-21 19:57:24 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-04-08 23:07:12 (GMT)
commitaaf587913d6e8b5cc3fc7cee2e7416593208a4d4 (patch)
tree8ca45f5a5b004088894fd13cbb6818ed5bbe238d
parent548ff2152478533ba16901867837fd443f3a5610 (diff)
downloadpoky-aaf587913d6e8b5cc3fc7cee2e7416593208a4d4.tar.gz
e2fsprogs: backport upstream patch
Fixes a bug wherein a use after free could potentially be used to run malicious code if a user can be tricked into running e2fsck on a maliciously crafted file system. Also see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948517 (From OE-Core rev: 23c1b157362609bd8d85c7d35e6c7f0f60c32c88) (From OE-Core rev: bdd978f8f68e24dd35e2c19b46cbe71b06e4fe42) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch76
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs_1.44.5.bb1
2 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch
new file mode 100644
index 0000000..342a2b8
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch
@@ -0,0 +1,76 @@
1From: Wang Shilong <wshilong@ddn.com>
2Date: Mon, 30 Dec 2019 19:52:39 -0500
3Subject: e2fsck: fix use after free in calculate_tree()
4
5The problem is alloc_blocks() will call get_next_block() which might
6reallocate outdir->buf, and memory address could be changed after
7this. To fix this, pointers that point into outdir->buf, such as
8int_limit and root need to be recaulated based on the new starting
9address of outdir->buf.
10
11[ Changed to correctly recalculate int_limit, and to optimize how we
12 reallocate outdir->buf. -TYT ]
13
14Addresses-Debian-Bug: 948517
15Signed-off-by: Wang Shilong <wshilong@ddn.com>
16Signed-off-by: Theodore Ts'o <tytso@mit.edu>
17(cherry picked from commit 101e73e99ccafa0403fcb27dd7413033b587ca01)
18
19Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
20Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=101e73e99ccafa0403fcb27dd7413033b587ca01]
21---
22 e2fsck/rehash.c | 17 ++++++++++++++++-
23 1 file changed, 16 insertions(+), 1 deletion(-)
24
25diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
26index 0a5888a9..2574e151 100644
27--- a/e2fsck/rehash.c
28+++ b/e2fsck/rehash.c
29@@ -295,7 +295,11 @@ static errcode_t get_next_block(ext2_filsys fs, struct out_dir *outdir,
30 errcode_t retval;
31
32 if (outdir->num >= outdir->max) {
33- retval = alloc_size_dir(fs, outdir, outdir->max + 50);
34+ int increment = outdir->max / 10;
35+
36+ if (increment < 50)
37+ increment = 50;
38+ retval = alloc_size_dir(fs, outdir, outdir->max + increment);
39 if (retval)
40 return retval;
41 }
42@@ -637,6 +641,9 @@ static int alloc_blocks(ext2_filsys fs,
43 if (retval)
44 return retval;
45
46+ /* outdir->buf might be reallocated */
47+ *prev_ent = (struct ext2_dx_entry *) (outdir->buf + *prev_offset);
48+
49 *next_ent = set_int_node(fs, block_start);
50 *limit = (struct ext2_dx_countlimit *)(*next_ent);
51 if (next_offset)
52@@ -726,6 +733,9 @@ static errcode_t calculate_tree(ext2_filsys fs,
53 return retval;
54 }
55 if (c3 == 0) {
56+ int delta1 = (char *)int_limit - outdir->buf;
57+ int delta2 = (char *)root - outdir->buf;
58+
59 retval = alloc_blocks(fs, &limit, &int_ent,
60 &dx_ent, &int_offset,
61 NULL, outdir, i, &c2,
62@@ -733,6 +743,11 @@ static errcode_t calculate_tree(ext2_filsys fs,
63 if (retval)
64 return retval;
65
66+ /* outdir->buf might be reallocated */
67+ int_limit = (struct ext2_dx_countlimit *)
68+ (outdir->buf + delta1);
69+ root = (struct ext2_dx_entry *)
70+ (outdir->buf + delta2);
71 }
72 dx_ent->block = ext2fs_cpu_to_le32(i);
73 if (c3 != limit->limit)
74--
752.24.1
76
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.44.5.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.44.5.bb
index dea481d..da06888 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.44.5.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.44.5.bb
@@ -9,6 +9,7 @@ SRC_URI += "file://remove.ldconfig.call.patch \
9 file://0001-create_inode-fix-copying-large-files.patch \ 9 file://0001-create_inode-fix-copying-large-files.patch \
10 file://CVE-2019-5188.patch \ 10 file://CVE-2019-5188.patch \
11 file://0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch \ 11 file://0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch \
12 file://e2fsck-fix-use-after-free-in-calculate_tree.patch \
12 " 13 "
13 14
14SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \ 15SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \