Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:Update
e2fsprogs
libext2fs-add-sanity-check-to-extent-manipulati...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File libext2fs-add-sanity-check-to-extent-manipulation.patch of Package e2fsprogs
From ab51d587bb9b229b1fade1afd02e1574c1ba5c76 Mon Sep 17 00:00:00 2001 From: Lukas Czerner <lczerner@redhat.com> Date: Thu, 21 Apr 2022 19:31:48 +0200 Subject: [PATCH] libext2fs: add sanity check to extent manipulation References: bsc#1198446 CVE-2022-1304 It is possible to have a corrupted extent tree in such a way that a leaf node contains zero extents in it. Currently if that happens and we try to traverse the tree we can end up accessing wrong data, or possibly even uninitialized memory. Make sure we don't do that. Additionally make sure that we have a sane number of bytes passed to memmove() in ext2fs_extent_delete(). Note that e2fsck is currently unable to spot and fix such corruption in pass1. Signed-off-by: Lukas Czerner <lczerner@redhat.com> Reported-by: Nils Bars <nils_bars@t-online.de> Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2068113 Addresses: CVE-2022-1304 Addresses-Debian-Bug: #1010263 Signed-off-by: Theodore Ts'o <tytso@mit.edu> --- lib/ext2fs/extent.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c index b324c7b0f8c8..1a206a16c13f 100644 --- a/lib/ext2fs/extent.c +++ b/lib/ext2fs/extent.c @@ -495,6 +495,10 @@ retry: ext2fs_le16_to_cpu(eh->eh_entries); newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max); + /* Make sure there is at least one extent present */ + if (newpath->left <= 0) + return EXT2_ET_EXTENT_NO_DOWN; + if (path->left > 0) { ix++; newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block); @@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags) cp = path->curr; + /* Sanity check before memmove() */ + if (path->left < 0) + return EXT2_ET_EXTENT_LEAF_BAD; + if (path->left) { memmove(cp, cp + sizeof(struct ext3_extent_idx), path->left * sizeof(struct ext3_extent_idx)); -- 2.34.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor