diff options
author | Anuj Mittal <anuj.mittal@intel.com> | 2020-03-20 19:23:53 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-03-30 17:41:56 +0100 |
commit | ad00b082d882873b2792b884bfb2b1a5bd77b80f (patch) | |
tree | c8e5dfc1be1ec4e613621c993d8ad64ce0a9a8cb /meta/recipes-devtools | |
parent | 2491bc87a421ed145dd552aaed5798e0e7509e61 (diff) | |
download | poky-ad00b082d882873b2792b884bfb2b1a5bd77b80f.tar.gz |
e2fsprogs: fix CVE-2019-5188
Also see:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948508
(From OE-Core rev: 09bdcef183d885025da6aa87a7c2bf7e8268774e)
(From OE-Core rev: b3fcf13e332d8830e759ef4161161f0e54591700)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
3 files changed, 108 insertions, 0 deletions
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch new file mode 100644 index 0000000000..ba4e3a3c97 --- /dev/null +++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 71ba13755337e19c9a826dfc874562a36e1b24d3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Theodore Ts'o <tytso@mit.edu> | ||
3 | Date: Thu, 19 Dec 2019 19:45:06 -0500 | ||
4 | Subject: [PATCH] e2fsck: don't try to rehash a deleted directory | ||
5 | |||
6 | If directory has been deleted in pass1[bcd] processing, then we | ||
7 | shouldn't try to rehash the directory in pass 3a when we try to | ||
8 | rehash/reoptimize directories. | ||
9 | |||
10 | Signed-off-by: Theodore Ts'o <tytso@mit.edu> | ||
11 | |||
12 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=71ba13755337e19c9a826dfc874562a36e1b24d3] | ||
13 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
14 | --- | ||
15 | e2fsck/pass1b.c | 4 ++++ | ||
16 | e2fsck/rehash.c | 2 ++ | ||
17 | 2 files changed, 6 insertions(+) | ||
18 | |||
19 | diff --git a/e2fsck/pass1b.c b/e2fsck/pass1b.c | ||
20 | index 5693b9cf..bca701ca 100644 | ||
21 | --- a/e2fsck/pass1b.c | ||
22 | +++ b/e2fsck/pass1b.c | ||
23 | @@ -705,6 +705,10 @@ static void delete_file(e2fsck_t ctx, ext2_ino_t ino, | ||
24 | fix_problem(ctx, PR_1B_BLOCK_ITERATE, &pctx); | ||
25 | if (ctx->inode_bad_map) | ||
26 | ext2fs_unmark_inode_bitmap2(ctx->inode_bad_map, ino); | ||
27 | + if (ctx->inode_reg_map) | ||
28 | + ext2fs_unmark_inode_bitmap2(ctx->inode_reg_map, ino); | ||
29 | + ext2fs_unmark_inode_bitmap2(ctx->inode_dir_map, ino); | ||
30 | + ext2fs_unmark_inode_bitmap2(ctx->inode_used_map, ino); | ||
31 | ext2fs_inode_alloc_stats2(fs, ino, -1, LINUX_S_ISDIR(dp->inode.i_mode)); | ||
32 | quota_data_sub(ctx->qctx, &dp->inode, ino, | ||
33 | pb.dup_blocks * fs->blocksize); | ||
34 | diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c | ||
35 | index 3dd1e941..2c908be0 100644 | ||
36 | --- a/e2fsck/rehash.c | ||
37 | +++ b/e2fsck/rehash.c | ||
38 | @@ -1028,6 +1028,8 @@ void e2fsck_rehash_directories(e2fsck_t ctx) | ||
39 | if (!ext2fs_u32_list_iterate(iter, &ino)) | ||
40 | break; | ||
41 | } | ||
42 | + if (!ext2fs_test_inode_bitmap2(ctx->inode_dir_map, ino)) | ||
43 | + continue; | ||
44 | |||
45 | pctx.dir = ino; | ||
46 | if (first) { | ||
47 | -- | ||
48 | 2.24.1 | ||
49 | |||
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch new file mode 100644 index 0000000000..de4bce0037 --- /dev/null +++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From 8dd73c149f418238f19791f9d666089ef9734dff Mon Sep 17 00:00:00 2001 | ||
2 | From: Theodore Ts'o <tytso@mit.edu> | ||
3 | Date: Thu, 19 Dec 2019 19:37:34 -0500 | ||
4 | Subject: [PATCH] e2fsck: abort if there is a corrupted directory block when | ||
5 | rehashing | ||
6 | |||
7 | In e2fsck pass 3a, when we are rehashing directories, at least in | ||
8 | theory, all of the directories should have had corruptions with | ||
9 | respect to directory entry structure fixed. However, it's possible | ||
10 | (for example, if the user declined a fix) that we can reach this stage | ||
11 | of processing with a corrupted directory entries. | ||
12 | |||
13 | So check for that case and don't try to process a corrupted directory | ||
14 | block so we don't run into trouble in mutate_name() if there is a | ||
15 | zero-length file name. | ||
16 | |||
17 | Addresses: TALOS-2019-0973 | ||
18 | Addresses: CVE-2019-5188 | ||
19 | Signed-off-by: Theodore Ts'o <tytso@mit.edu> | ||
20 | |||
21 | CVE: CVE-2019-5188 | ||
22 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
23 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=8dd73c149f418238f19791f9d666089ef9734dff] | ||
24 | --- | ||
25 | e2fsck/rehash.c | 9 +++++++++ | ||
26 | 1 file changed, 9 insertions(+) | ||
27 | |||
28 | diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c | ||
29 | index a5fc1be1..3dd1e941 100644 | ||
30 | --- a/e2fsck/rehash.c | ||
31 | +++ b/e2fsck/rehash.c | ||
32 | @@ -160,6 +160,10 @@ static int fill_dir_block(ext2_filsys fs, | ||
33 | dir_offset += rec_len; | ||
34 | if (dirent->inode == 0) | ||
35 | continue; | ||
36 | + if ((name_len) == 0) { | ||
37 | + fd->err = EXT2_ET_DIR_CORRUPTED; | ||
38 | + return BLOCK_ABORT; | ||
39 | + } | ||
40 | if (!fd->compress && (name_len == 1) && | ||
41 | (dirent->name[0] == '.')) | ||
42 | continue; | ||
43 | @@ -401,6 +405,11 @@ static int duplicate_search_and_fix(e2fsck_t ctx, ext2_filsys fs, | ||
44 | continue; | ||
45 | } | ||
46 | new_len = ext2fs_dirent_name_len(ent->dir); | ||
47 | + if (new_len == 0) { | ||
48 | + /* should never happen */ | ||
49 | + ext2fs_unmark_valid(fs); | ||
50 | + continue; | ||
51 | + } | ||
52 | memcpy(new_name, ent->dir->name, new_len); | ||
53 | mutate_name(new_name, &new_len); | ||
54 | for (j=0; j < fd->num_array; j++) { | ||
55 | -- | ||
56 | 2.24.1 | ||
57 | |||
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb index 14c05a446c..2014e68579 100644 --- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb +++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb | |||
@@ -6,6 +6,8 @@ SRC_URI += "file://remove.ldconfig.call.patch \ | |||
6 | file://mkdir_p.patch \ | 6 | file://mkdir_p.patch \ |
7 | file://0001-misc-create_inode.c-set-dir-s-mode-correctly.patch \ | 7 | file://0001-misc-create_inode.c-set-dir-s-mode-correctly.patch \ |
8 | file://CVE-2019-5094.patch \ | 8 | file://CVE-2019-5094.patch \ |
9 | file://CVE-2019-5188.patch \ | ||
10 | file://0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch \ | ||
9 | " | 11 | " |
10 | 12 | ||
11 | SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \ | 13 | SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \ |