File libext2fs-avoid-buffer-overflow-if-s_first_meta... of Package e2fsprogs

Overview Repositories Revisions Requests Users Attributes Meta

File libext2fs-avoid-buffer-overflow-if-s_first_meta_bg-i.patch of Package e2fsprogs

From f66e6ce4446738c2c7f43d41988a3eb73347e2f5 Mon Sep 17 00:00:00 2001
From: Theodore Ts'o <tytso@mit.edu>
Date: Sat, 9 Aug 2014 12:24:54 -0400
Subject: [PATCH] libext2fs: avoid buffer overflow if s_first_meta_bg is too
 big
References: bsc#915402 CVE-2015-0247

If s_first_meta_bg is greater than the of number block group
descriptor blocks, then reading or writing the block group descriptors
will end up overruning the memory buffer allocated for the
descriptors.  Fix this by limiting first_meta_bg to no more than
fs->desc_blocks.  This doesn't correct the bad s_first_meta_bg value,
but it avoids causing the e2fsprogs userspace programs from
potentially crashing.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Acked-by: Jan Kara <jack@suse.cz>
---
 lib/ext2fs/closefs.c | 6 ++++--
 lib/ext2fs/openfs.c  | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

Index: e2fsprogs-1.42.11/lib/ext2fs/closefs.c
===================================================================
--- e2fsprogs-1.42.11.orig/lib/ext2fs/closefs.c
+++ e2fsprogs-1.42.11/lib/ext2fs/closefs.c
@@ -344,9 +344,11 @@ errcode_t ext2fs_flush2(ext2_filsys fs,
 	 * superblocks and group descriptors.
 	 */
 	group_ptr = (char *) group_shadow;
-	if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
+	if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
 		old_desc_blocks = fs->super->s_first_meta_bg;
-	else
+		if (old_desc_blocks > fs->super->s_first_meta_bg)
+			old_desc_blocks = fs->desc_blocks;
+	} else
 		old_desc_blocks = fs->desc_blocks;
 
 	ext2fs_numeric_progress_init(fs, &progress, NULL,
Index: e2fsprogs-1.42.11/lib/ext2fs/openfs.c
===================================================================
--- e2fsprogs-1.42.11.orig/lib/ext2fs/openfs.c
+++ e2fsprogs-1.42.11/lib/ext2fs/openfs.c
@@ -378,9 +378,11 @@ errcode_t ext2fs_open2(const char *name,
 #ifdef WORDS_BIGENDIAN
 	groups_per_block = EXT2_DESC_PER_BLOCK(fs->super);
 #endif
-	if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
+	if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
 		first_meta_bg = fs->super->s_first_meta_bg;
-	else
+		if (first_meta_bg > fs->desc_blocks)
+			first_meta_bg = fs->desc_blocks;
+	} else
 		first_meta_bg = fs->desc_blocks;
 	if (first_meta_bg) {
 		retval = io_channel_read_blk(fs->io, group_block +

Places

File libext2fs-avoid-buffer-overflow-if-s_first_meta_bg-i.patch of Package e2fsprogs

Places