59 lines
2.3 KiB
Diff
59 lines
2.3 KiB
Diff
|
From f66e6ce4446738c2c7f43d41988a3eb73347e2f5 Mon Sep 17 00:00:00 2001
|
||
|
From: Theodore Ts'o <tytso@mit.edu>
|
||
|
Date: Sat, 9 Aug 2014 12:24:54 -0400
|
||
|
Subject: [PATCH] libext2fs: avoid buffer overflow if s_first_meta_bg is too
|
||
|
big
|
||
|
References: bsc#915402 CVE-2015-0247
|
||
|
|
||
|
If s_first_meta_bg is greater than the of number block group
|
||
|
descriptor blocks, then reading or writing the block group descriptors
|
||
|
will end up overruning the memory buffer allocated for the
|
||
|
descriptors. Fix this by limiting first_meta_bg to no more than
|
||
|
fs->desc_blocks. This doesn't correct the bad s_first_meta_bg value,
|
||
|
but it avoids causing the e2fsprogs userspace programs from
|
||
|
potentially crashing.
|
||
|
|
||
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||
|
Acked-by: Jan Kara <jack@suse.cz>
|
||
|
---
|
||
|
lib/ext2fs/closefs.c | 6 ++++--
|
||
|
lib/ext2fs/openfs.c | 6 ++++--
|
||
|
2 files changed, 8 insertions(+), 4 deletions(-)
|
||
|
|
||
|
Index: e2fsprogs-1.42.11/lib/ext2fs/closefs.c
|
||
|
===================================================================
|
||
|
--- e2fsprogs-1.42.11.orig/lib/ext2fs/closefs.c
|
||
|
+++ e2fsprogs-1.42.11/lib/ext2fs/closefs.c
|
||
|
@@ -344,9 +344,11 @@ errcode_t ext2fs_flush2(ext2_filsys fs,
|
||
|
* superblocks and group descriptors.
|
||
|
*/
|
||
|
group_ptr = (char *) group_shadow;
|
||
|
- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
|
||
|
+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
|
||
|
old_desc_blocks = fs->super->s_first_meta_bg;
|
||
|
- else
|
||
|
+ if (old_desc_blocks > fs->super->s_first_meta_bg)
|
||
|
+ old_desc_blocks = fs->desc_blocks;
|
||
|
+ } else
|
||
|
old_desc_blocks = fs->desc_blocks;
|
||
|
|
||
|
ext2fs_numeric_progress_init(fs, &progress, NULL,
|
||
|
Index: e2fsprogs-1.42.11/lib/ext2fs/openfs.c
|
||
|
===================================================================
|
||
|
--- e2fsprogs-1.42.11.orig/lib/ext2fs/openfs.c
|
||
|
+++ e2fsprogs-1.42.11/lib/ext2fs/openfs.c
|
||
|
@@ -378,9 +378,11 @@ errcode_t ext2fs_open2(const char *name,
|
||
|
#ifdef WORDS_BIGENDIAN
|
||
|
groups_per_block = EXT2_DESC_PER_BLOCK(fs->super);
|
||
|
#endif
|
||
|
- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
|
||
|
+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
|
||
|
first_meta_bg = fs->super->s_first_meta_bg;
|
||
|
- else
|
||
|
+ if (first_meta_bg > fs->desc_blocks)
|
||
|
+ first_meta_bg = fs->desc_blocks;
|
||
|
+ } else
|
||
|
first_meta_bg = fs->desc_blocks;
|
||
|
if (first_meta_bg) {
|
||
|
retval = io_channel_read_blk(fs->io, group_block +
|