diff --git a/e2fsck-abort-if-there-is-a-corrupted-directory-block.patch b/e2fsck-abort-if-there-is-a-corrupted-directory-block.patch new file mode 100644 index 0000000..88bec2f --- /dev/null +++ b/e2fsck-abort-if-there-is-a-corrupted-directory-block.patch @@ -0,0 +1,55 @@ +From 8dd73c149f418238f19791f9d666089ef9734dff Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 19 Dec 2019 19:37:34 -0500 +Subject: [PATCH] e2fsck: abort if there is a corrupted directory block + when rehashing +References: bsc#1160571 CVE-2019-5188 + +In e2fsck pass 3a, when we are rehashing directories, at least in +theory, all of the directories should have had corruptions with +respect to directory entry structure fixed. However, it's possible +(for example, if the user declined a fix) that we can reach this stage +of processing with a corrupted directory entries. + +So check for that case and don't try to process a corrupted directory +block so we don't run into trouble in mutate_name() if there is a +zero-length file name. + +Addresses: TALOS-2019-0973 +Addresses: CVE-2019-5188 +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara +--- + e2fsck/rehash.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +Index: e2fsprogs-1.42.11/e2fsck/rehash.c +=================================================================== +--- e2fsprogs-1.42.11.orig/e2fsck/rehash.c ++++ e2fsprogs-1.42.11/e2fsck/rehash.c +@@ -129,6 +129,10 @@ static int fill_dir_block(ext2_filsys fs + dir_offset += rec_len; + if (dirent->inode == 0) + continue; ++ if ((dirent->name_len&0xFF) == 0) { ++ fd->err = EXT2_ET_DIR_CORRUPTED; ++ return BLOCK_ABORT; ++ } + if (!fd->compress && ((dirent->name_len&0xFF) == 1) && + (dirent->name[0] == '.')) + continue; +@@ -365,8 +369,13 @@ static int duplicate_search_and_fix(e2fs + fixed++; + continue; + } +- memcpy(new_name, ent->dir->name, ent->dir->name_len & 0xFF); + new_len = ent->dir->name_len; ++ if (new_len & 0xFF == 0) { ++ /* should never happen */ ++ ext2fs_unmark_valid(fs); ++ continue; ++ } ++ memcpy(new_name, ent->dir->name, new_len & 0xFF); + mutate_name(new_name, &new_len); + for (j=0; j < fd->num_array; j++) { + if ((i==j) || diff --git a/e2fsck-don-t-try-to-rehash-a-deleted-directory.patch b/e2fsck-don-t-try-to-rehash-a-deleted-directory.patch new file mode 100644 index 0000000..d74a0e7 --- /dev/null +++ b/e2fsck-don-t-try-to-rehash-a-deleted-directory.patch @@ -0,0 +1,45 @@ +From 71ba13755337e19c9a826dfc874562a36e1b24d3 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 19 Dec 2019 19:45:06 -0500 +Subject: [PATCH] e2fsck: don't try to rehash a deleted directory +References: bsc#1160571 CVE-2019-5188 + +If directory has been deleted in pass1[bcd] processing, then we +shouldn't try to rehash the directory in pass 3a when we try to +rehash/reoptimize directories. + +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara +--- + e2fsck/pass1b.c | 4 ++++ + e2fsck/rehash.c | 2 ++ + 2 files changed, 6 insertions(+) + +Index: e2fsprogs-1.42.11/e2fsck/pass1b.c +=================================================================== +--- e2fsprogs-1.42.11.orig/e2fsck/pass1b.c ++++ e2fsprogs-1.42.11/e2fsck/pass1b.c +@@ -643,6 +643,10 @@ static void delete_file(e2fsck_t ctx, ex + fix_problem(ctx, PR_1B_BLOCK_ITERATE, &pctx); + if (ctx->inode_bad_map) + ext2fs_unmark_inode_bitmap2(ctx->inode_bad_map, ino); ++ if (ctx->inode_reg_map) ++ ext2fs_unmark_inode_bitmap2(ctx->inode_reg_map, ino); ++ ext2fs_unmark_inode_bitmap2(ctx->inode_dir_map, ino); ++ ext2fs_unmark_inode_bitmap2(ctx->inode_used_map, ino); + ext2fs_inode_alloc_stats2(fs, ino, -1, LINUX_S_ISDIR(dp->inode.i_mode)); + quota_data_sub(ctx->qctx, &dp->inode, ino, + pb.dup_blocks * fs->blocksize); +Index: e2fsprogs-1.42.11/e2fsck/rehash.c +=================================================================== +--- e2fsprogs-1.42.11.orig/e2fsck/rehash.c ++++ e2fsprogs-1.42.11/e2fsck/rehash.c +@@ -882,6 +882,8 @@ void e2fsck_rehash_directories(e2fsck_t + } + if (ino == ctx->lost_and_found) + continue; ++ if (!ext2fs_test_inode_bitmap2(ctx->inode_dir_map, ino)) ++ continue; + pctx.dir = ino; + if (first) { + fix_problem(ctx, PR_3A_PASS_HEADER, &pctx); diff --git a/e2fsprogs.changes b/e2fsprogs.changes index 3b29150..11922b7 100644 --- a/e2fsprogs.changes +++ b/e2fsprogs.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Jan 9 15:19:10 UTC 2020 - Jan Kara + +- e2fsck-abort-if-there-is-a-corrupted-directory-block.patch: e2fsck: abort if + there is a corrupted directory block when rehashing (bsc#1160571 + CVE-2019-5188) +- e2fsck-don-t-try-to-rehash-a-deleted-directory.patch: 2fsck: don't try to + rehash a deleted directory (bsc#1160571 CVE-2019-5188) + ------------------------------------------------------------------- Mon May 20 16:20:33 UTC 2019 - Jan Kara diff --git a/e2fsprogs.spec b/e2fsprogs.spec index 3ef9bf7..e00afd9 100644 --- a/e2fsprogs.spec +++ b/e2fsprogs.spec @@ -1,7 +1,7 @@ # # spec file for package e2fsprogs # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -70,6 +70,8 @@ Patch12: libext2fs-Fix-fsync-2-detection.patch Patch13: e2fsck-check-and-fix-tails-of-all-bitmaps.patch Patch14: Revert-mke2fs-prevent-creation-of-unmountable-ext4-w.patch Patch15: libext2fs-place-metadata-blocks-in-the-last-flex_bg-.patch +Patch16: e2fsck-abort-if-there-is-a-corrupted-directory-block.patch +Patch17: e2fsck-don-t-try-to-rehash-a-deleted-directory.patch # Do not suppress make commands BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -162,6 +164,8 @@ Development files for the com_err error message display library. %patch13 -p1 %patch14 -p1 %patch15 -p1 +%patch16 -p1 +%patch17 -p1 cp %{SOURCE2} . %build