Inicio Explorar Axuda
Iniciar sesión
PUBLIC_REPOS
/
buildroot
réplica de git://git.buildroot.net/buildroot
2
1
Fork 0
Ficheiros
Árbore: 4a0fbffa3e
Ramas Etiquetas
buildroot
/
package
/
e2fsprogs
/
0001-libext2fs-fix-potential-buffer-overflow-in-closefs.patch

0001-libext2fs-fix-potential-buffer-overflow-in-closefs.patch 2.1 KB
Histórico Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859 
  1. From 49d0fe2a14f2a23da2fe299643379b8c1d37df73 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Theodore Ts'o <tytso@mit.edu>
    3. 

  3. Date: Fri, 6 Feb 2015 12:46:39 -0500
    4. 

  4. Subject: [PATCH] libext2fs: fix potential buffer overflow in closefs()
    5. 

  5. 

  6. Upstream commit 49d0fe2a14f2.
    7. 

  7. 

  8. The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if
    9. 

  9. s_first_meta_bg is too big" had a typo in the fix for
    10. 

  10. ext2fs_closefs().  In practice most of the security exposure was from
    11. 

  11. the openfs path, since this meant if there was a carefully crafted
    12. 

  12. file system, buffer overrun would be triggered when the file system was
    13. 

  13. opened.
    14. 

  14. 

  15. However, if corrupted file system didn't trip over some corruption
    16. 

  16. check, and then the file system was modified via tune2fs or debugfs,
    17. 

  17. such that the superblock was marked dirty and then written out via the
    18. 

  18. closefs() path, it's possible that the buffer overrun could be
    19. 

  19. triggered when the file system is closed.
    20. 

  20. 

  21. Also clear up a signed vs unsigned warning while we're at it.
    22. 

  22. 

  23. Thanks to Nick Kralevich <nnk@google.com> for asking me to look at
    24. 

  24. compiler warning in the code in question, which led me to notice the
    25. 

  25. bug in f66e6ce4446.
    26. 

  26. 

  27. Addresses: CVE-2015-1572
    28. 

  28. 

  29. Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    30. 

  30. Signed-off-by: Baruch Siach <baruch@tkos.co.il>
    31. 

  31. ---
    32. 

  32.  lib/ext2fs/closefs.c | 4 ++--
    33. 

  33.  1 file changed, 2 insertions(+), 2 deletions(-)
    34. 

  34. 

  35. diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c
    36. 

  36. index 1f9911311a1a..ab5b2fb2365e 100644
    37. 

  37. --- a/lib/ext2fs/closefs.c
    38. 

  38. +++ b/lib/ext2fs/closefs.c
    39. 

  39. @@ -287,7 +287,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
    40. 

  40.  	dgrp_t		j;
    41. 

  41.  #endif
    42. 

  42.  	char	*group_ptr;
    43. 

  43. -	int	old_desc_blocks;
    44. 

  44. +	blk64_t	old_desc_blocks;
    45. 

  45.  	struct ext2fs_numeric_progress_struct progress;
    46. 

  46.  
    47. 

  47.  	EXT2_CHECK_MAGIC(fs, EXT2_ET_MAGIC_EXT2FS_FILSYS);
    48. 

  48. @@ -346,7 +346,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
    49. 

  49.  	group_ptr = (char *) group_shadow;
    50. 

  50.  	if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
    51. 

  51.  		old_desc_blocks = fs->super->s_first_meta_bg;
    52. 

  52. -		if (old_desc_blocks > fs->super->s_first_meta_bg)
    53. 

  53. +		if (old_desc_blocks > fs->desc_blocks)
    54. 

  54.  			old_desc_blocks = fs->desc_blocks;
    55. 

  55.  	} else
    56. 

  56.  		old_desc_blocks = fs->desc_blocks;
    57. 

  57. -- 
    58. 

  58. 2.1.4
    59. 

  59.