summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoy Li <rongqing.li@windriver.com>2015-05-06 17:09:41 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-05-07 13:40:37 +0100
commit3176510ee73d635a1b7df5b10d146cf7a6ef628e (patch)
tree0c2dc8068d2bf2c9a1ae7f0bf95ad14523dbf67a
parent781cd0dc68a37dab9551d28aa66d2434a523eb13 (diff)
downloadpoky-3176510ee73d635a1b7df5b10d146cf7a6ef628e.tar.gz
e2fsprogs: fix the CVE-2015-1572
Backport a patch to fix CVE-2015-1572 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1572 (From OE-Core rev: 203e1024cc7517cad28423cc04f641376cc8f2f5) Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-libext2fs-fix-potential-buffer-overflow-in-closefs.patch58
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb1
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-libext2fs-fix-potential-buffer-overflow-in-closefs.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-libext2fs-fix-potential-buffer-overflow-in-closefs.patch
new file mode 100644
index 0000000000..72f77cc6bd
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-libext2fs-fix-potential-buffer-overflow-in-closefs.patch
@@ -0,0 +1,58 @@
1From 49d0fe2a14f2a23da2fe299643379b8c1d37df73 Mon Sep 17 00:00:00 2001
2From: Theodore Ts'o <tytso@mit.edu>
3Date: Fri, 6 Feb 2015 12:46:39 -0500
4Subject: [PATCH] libext2fs: fix potential buffer overflow in closefs()
5
6Upstream-Status: Backport
7
8The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if
9s_first_meta_bg is too big" had a typo in the fix for
10ext2fs_closefs(). In practice most of the security exposure was from
11the openfs path, since this meant if there was a carefully crafted
12file system, buffer overrun would be triggered when the file system was
13opened.
14
15However, if corrupted file system didn't trip over some corruption
16check, and then the file system was modified via tune2fs or debugfs,
17such that the superblock was marked dirty and then written out via the
18closefs() path, it's possible that the buffer overrun could be
19triggered when the file system is closed.
20
21Also clear up a signed vs unsigned warning while we're at it.
22
23Thanks to Nick Kralevich <nnk@google.com> for asking me to look at
24compiler warning in the code in question, which led me to notice the
25bug in f66e6ce4446.
26
27Addresses: CVE-2015-1572
28
29Signed-off-by: Theodore Ts'o <tytso@mit.edu>
30---
31 lib/ext2fs/closefs.c | 4 ++--
32 1 file changed, 2 insertions(+), 2 deletions(-)
33
34diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c
35index 1f99113..ab5b2fb 100644
36--- a/lib/ext2fs/closefs.c
37+++ b/lib/ext2fs/closefs.c
38@@ -287,7 +287,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
39 dgrp_t j;
40 #endif
41 char *group_ptr;
42- int old_desc_blocks;
43+ blk64_t old_desc_blocks;
44 struct ext2fs_numeric_progress_struct progress;
45
46 EXT2_CHECK_MAGIC(fs, EXT2_ET_MAGIC_EXT2FS_FILSYS);
47@@ -346,7 +346,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
48 group_ptr = (char *) group_shadow;
49 if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
50 old_desc_blocks = fs->super->s_first_meta_bg;
51- if (old_desc_blocks > fs->super->s_first_meta_bg)
52+ if (old_desc_blocks > fs->desc_blocks)
53 old_desc_blocks = fs->desc_blocks;
54 } else
55 old_desc_blocks = fs->desc_blocks;
56--
572.1.0
58
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb
index be1db9e89e..b3540887f3 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb
@@ -21,6 +21,7 @@ SRC_URI += "file://acinclude.m4 \
21 file://misc-mke2fs.c-return-error-when-failed-to-populate-fs.patch \ 21 file://misc-mke2fs.c-return-error-when-failed-to-populate-fs.patch \
22 file://cache_inode.patch \ 22 file://cache_inode.patch \
23 file://CVE-2015-0247.patch \ 23 file://CVE-2015-0247.patch \
24 file://0001-libext2fs-fix-potential-buffer-overflow-in-closefs.patch \
24" 25"
25 26
26SRC_URI[md5sum] = "3f8e41e63b432ba114b33f58674563f7" 27SRC_URI[md5sum] = "3f8e41e63b432ba114b33f58674563f7"