From 5c42454ba766a6a4a2017790497adc4e220b0225 Mon Sep 17 00:00:00 2001 From: OBS User atopt Date: Fri, 7 Feb 2020 09:44:15 +0000 Subject: [PATCH] Set link to e2fsprogs.13739 via maintenance_release request Rev SUSE:SLE-12-SP4:Update/3 Md5 633d116b5f228c15db630dc74eb58741 2020-02-07 09:44:15 atopt None --- ...there-is-a-corrupted-directory-block.patch | 55 +++++++++++++++++++ ...-t-try-to-rehash-a-deleted-directory.patch | 48 ++++++++++++++++ e2fsprogs.changes | 9 +++ e2fsprogs.spec | 6 +- 4 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 e2fsck-abort-if-there-is-a-corrupted-directory-block.patch create mode 100644 e2fsck-don-t-try-to-rehash-a-deleted-directory.patch diff --git a/e2fsck-abort-if-there-is-a-corrupted-directory-block.patch b/e2fsck-abort-if-there-is-a-corrupted-directory-block.patch new file mode 100644 index 0000000..beaac3f --- /dev/null +++ b/e2fsck-abort-if-there-is-a-corrupted-directory-block.patch @@ -0,0 +1,55 @@ +From 8dd73c149f418238f19791f9d666089ef9734dff Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 19 Dec 2019 19:37:34 -0500 +Subject: [PATCH] e2fsck: abort if there is a corrupted directory block + when rehashing +References: bsc#1160571 CVE-2019-5188 + +In e2fsck pass 3a, when we are rehashing directories, at least in +theory, all of the directories should have had corruptions with +respect to directory entry structure fixed. However, it's possible +(for example, if the user declined a fix) that we can reach this stage +of processing with a corrupted directory entries. + +So check for that case and don't try to process a corrupted directory +block so we don't run into trouble in mutate_name() if there is a +zero-length file name. + +Addresses: TALOS-2019-0973 +Addresses: CVE-2019-5188 +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara +--- + e2fsck/rehash.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c +index a5fc1be1a210..3dd1e94131c6 100644 +--- a/e2fsck/rehash.c ++++ b/e2fsck/rehash.c +@@ -160,6 +160,10 @@ static int fill_dir_block(ext2_filsys fs, + dir_offset += rec_len; + if (dirent->inode == 0) + continue; ++ if ((name_len) == 0) { ++ fd->err = EXT2_ET_DIR_CORRUPTED; ++ return BLOCK_ABORT; ++ } + if (!fd->compress && (name_len == 1) && + (dirent->name[0] == '.')) + continue; +@@ -401,6 +405,11 @@ static int duplicate_search_and_fix(e2fsck_t ctx, ext2_filsys fs, + continue; + } + new_len = ext2fs_dirent_name_len(ent->dir); ++ if (new_len == 0) { ++ /* should never happen */ ++ ext2fs_unmark_valid(fs); ++ continue; ++ } + memcpy(new_name, ent->dir->name, new_len); + mutate_name(new_name, &new_len); + for (j=0; j < fd->num_array; j++) { +-- +2.16.4 + diff --git a/e2fsck-don-t-try-to-rehash-a-deleted-directory.patch b/e2fsck-don-t-try-to-rehash-a-deleted-directory.patch new file mode 100644 index 0000000..d3776e4 --- /dev/null +++ b/e2fsck-don-t-try-to-rehash-a-deleted-directory.patch @@ -0,0 +1,48 @@ +From 71ba13755337e19c9a826dfc874562a36e1b24d3 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 19 Dec 2019 19:45:06 -0500 +Subject: [PATCH] e2fsck: don't try to rehash a deleted directory +References: bsc#1160571 CVE-2019-5188 + +If directory has been deleted in pass1[bcd] processing, then we +shouldn't try to rehash the directory in pass 3a when we try to +rehash/reoptimize directories. + +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara +--- + e2fsck/pass1b.c | 4 ++++ + e2fsck/rehash.c | 2 ++ + 2 files changed, 6 insertions(+) + +diff --git a/e2fsck/pass1b.c b/e2fsck/pass1b.c +index 5693b9cfcc5a..bca701cab94f 100644 +--- a/e2fsck/pass1b.c ++++ b/e2fsck/pass1b.c +@@ -705,6 +705,10 @@ static void delete_file(e2fsck_t ctx, ext2_ino_t ino, + fix_problem(ctx, PR_1B_BLOCK_ITERATE, &pctx); + if (ctx->inode_bad_map) + ext2fs_unmark_inode_bitmap2(ctx->inode_bad_map, ino); ++ if (ctx->inode_reg_map) ++ ext2fs_unmark_inode_bitmap2(ctx->inode_reg_map, ino); ++ ext2fs_unmark_inode_bitmap2(ctx->inode_dir_map, ino); ++ ext2fs_unmark_inode_bitmap2(ctx->inode_used_map, ino); + ext2fs_inode_alloc_stats2(fs, ino, -1, LINUX_S_ISDIR(dp->inode.i_mode)); + quota_data_sub(ctx->qctx, &dp->inode, ino, + pb.dup_blocks * fs->blocksize); +diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c +index 3dd1e94131c6..2c908be04d70 100644 +--- a/e2fsck/rehash.c ++++ b/e2fsck/rehash.c +@@ -1028,6 +1028,8 @@ void e2fsck_rehash_directories(e2fsck_t ctx) + if (!ext2fs_u32_list_iterate(iter, &ino)) + break; + } ++ if (!ext2fs_test_inode_bitmap2(ctx->inode_dir_map, ino)) ++ continue; + + pctx.dir = ino; + if (first) { +-- +2.16.4 + diff --git a/e2fsprogs.changes b/e2fsprogs.changes index ad9651d..a2d8cdd 100644 --- a/e2fsprogs.changes +++ b/e2fsprogs.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Jan 9 14:50:45 UTC 2020 - Jan Kara + +- e2fsck-abort-if-there-is-a-corrupted-directory-block.patch: e2fsck: abort if + there is a corrupted directory block when rehashing (bsc#1160571 + CVE-2019-5188) +- e2fsck-don-t-try-to-rehash-a-deleted-directory.patch: 2fsck: don't try to + rehash a deleted directory (bsc#1160571 CVE-2019-5188) + ------------------------------------------------------------------- Mon Sep 30 15:09:04 UTC 2019 - Jan Kara diff --git a/e2fsprogs.spec b/e2fsprogs.spec index 2cd3a0b..6037c6c 100644 --- a/e2fsprogs.spec +++ b/e2fsprogs.spec @@ -1,7 +1,7 @@ # # spec file for package e2fsprogs # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -85,6 +85,8 @@ Patch6: libext2fs-Fix-fsync-2-detection.patch Patch7: e2fsck-check-and-fix-tails-of-all-bitmaps.patch Patch8: libext2fs-call-fsync-2-to-clear-stale-errors-for-a-n.patch Patch9: libsupport-add-checks-to-prevent-buffer-overrun-bugs.patch +Patch10: e2fsck-abort-if-there-is-a-corrupted-directory-block.patch +Patch11: e2fsck-don-t-try-to-rehash-a-deleted-directory.patch # Do not suppress make commands BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -233,6 +235,8 @@ Development files for the com_err error message display library. Static librarie %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 cp %{SOURCE2} . %build