poky/meta/recipes-devtools/e2fsprogs/e2fsprogs/extents.patch - openbmc/openbmc - Gitiles

 CVE: CVE-2022-1304
 Upstream-Status: Backport [ ab51d587bb9b229b1fade1afd02e1574c1ba5c76 ]
 Signed-off-by: Ross Burton <ross.burton@arm.com>

 From 347084c9c1ad20f47dae16f5a3dcd8628d5fc7b0 Mon Sep 17 00:00:00 2001
 From: Lukas Czerner <lczerner@redhat.com>
 Date: Thu, 21 Apr 2022 19:31:48 +0200
 Subject: [PATCH] e2fsprogs: add sanity check to extent manipulation

 It is possible to have a corrupted extent tree in such a way that a leaf
 node contains zero extents in it. Currently if that happens and we try
 to traverse the tree we can end up accessing wrong data, or possibly
 even uninitialized memory. Make sure we don't do that.

 Additionally make sure that we have a sane number of bytes passed to
 memmove() in ext2fs_extent_delete().

 Note that e2fsck is currently unable to spot and fix such corruption in
 pass1.

 Signed-off-by: Lukas Czerner <lczerner@redhat.com>
 Reported-by: Nils Bars <nils_bars@t-online.de>
 Addressess: https://bugzilla.redhat.com/show_bug.cgi?id=2068113
 ---
  lib/ext2fs/extent.c | 8 ++++++++
  1 file changed, 8 insertions(+)

 diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c
 index b324c7b0..1a206a16 100644
 --- a/lib/ext2fs/extent.c
 +++ b/lib/ext2fs/extent.c
 @@ -495,6 +495,10 @@ retry:
  			ext2fs_le16_to_cpu(eh->eh_entries);
  		newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max);

 +		/* Make sure there is at least one extent present */
 +		if (newpath->left <= 0)
 +			return EXT2_ET_EXTENT_NO_DOWN;
 +
  		if (path->left > 0) {
  			ix++;
  			newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block);
 @@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags)

  	cp = path->curr;

 +	/* Sanity check before memmove() */
 +	if (path->left < 0)
 +		return EXT2_ET_EXTENT_LEAF_BAD;
 +
  	if (path->left) {
  		memmove(cp, cp + sizeof(struct ext3_extent_idx),
  			path->left * sizeof(struct ext3_extent_idx));
 --
 2.25.1
	CVE: CVE-2022-1304
	Upstream-Status: Backport [ ab51d587bb9b229b1fade1afd02e1574c1ba5c76 ]
	Signed-off-by: Ross Burton <ross.burton@arm.com>

	From 347084c9c1ad20f47dae16f5a3dcd8628d5fc7b0 Mon Sep 17 00:00:00 2001
	From: Lukas Czerner <lczerner@redhat.com>
	Date: Thu, 21 Apr 2022 19:31:48 +0200
	Subject: [PATCH] e2fsprogs: add sanity check to extent manipulation

	It is possible to have a corrupted extent tree in such a way that a leaf
	node contains zero extents in it. Currently if that happens and we try
	to traverse the tree we can end up accessing wrong data, or possibly
	even uninitialized memory. Make sure we don't do that.

	Additionally make sure that we have a sane number of bytes passed to
	memmove() in ext2fs_extent_delete().

	Note that e2fsck is currently unable to spot and fix such corruption in
	pass1.

	Signed-off-by: Lukas Czerner <lczerner@redhat.com>
	Reported-by: Nils Bars <nils_bars@t-online.de>
	Addressess: https://bugzilla.redhat.com/show_bug.cgi?id=2068113
	---
	lib/ext2fs/extent.c \| 8 ++++++++
	1 file changed, 8 insertions(+)

	diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c
	index b324c7b0..1a206a16 100644
	--- a/lib/ext2fs/extent.c
	+++ b/lib/ext2fs/extent.c
	@@ -495,6 +495,10 @@ retry:
	ext2fs_le16_to_cpu(eh->eh_entries);
	newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max);

	+ /* Make sure there is at least one extent present */
	+ if (newpath->left <= 0)
	+ return EXT2_ET_EXTENT_NO_DOWN;
	+
	if (path->left > 0) {
	ix++;
	newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block);
	@@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags)

	cp = path->curr;

	+ /* Sanity check before memmove() */
	+ if (path->left < 0)
	+ return EXT2_ET_EXTENT_LEAF_BAD;
	+
	if (path->left) {
	memmove(cp, cp + sizeof(struct ext3_extent_idx),
	path->left * sizeof(struct ext3_extent_idx));
	--
	2.25.1