Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | From 49d0fe2a14f2a23da2fe299643379b8c1d37df73 Mon Sep 17 00:00:00 2001 |
| 2 | From: Theodore Ts'o <tytso@mit.edu> |
| 3 | Date: Fri, 6 Feb 2015 12:46:39 -0500 |
| 4 | Subject: [PATCH] libext2fs: fix potential buffer overflow in closefs() |
| 5 | |
| 6 | Upstream-Status: Backport |
| 7 | |
| 8 | The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if |
| 9 | s_first_meta_bg is too big" had a typo in the fix for |
| 10 | ext2fs_closefs(). In practice most of the security exposure was from |
| 11 | the openfs path, since this meant if there was a carefully crafted |
| 12 | file system, buffer overrun would be triggered when the file system was |
| 13 | opened. |
| 14 | |
| 15 | However, if corrupted file system didn't trip over some corruption |
| 16 | check, and then the file system was modified via tune2fs or debugfs, |
| 17 | such that the superblock was marked dirty and then written out via the |
| 18 | closefs() path, it's possible that the buffer overrun could be |
| 19 | triggered when the file system is closed. |
| 20 | |
| 21 | Also clear up a signed vs unsigned warning while we're at it. |
| 22 | |
| 23 | Thanks to Nick Kralevich <nnk@google.com> for asking me to look at |
| 24 | compiler warning in the code in question, which led me to notice the |
| 25 | bug in f66e6ce4446. |
| 26 | |
| 27 | Addresses: CVE-2015-1572 |
| 28 | |
| 29 | Signed-off-by: Theodore Ts'o <tytso@mit.edu> |
| 30 | --- |
| 31 | lib/ext2fs/closefs.c | 4 ++-- |
| 32 | 1 file changed, 2 insertions(+), 2 deletions(-) |
| 33 | |
| 34 | diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c |
| 35 | index 1f99113..ab5b2fb 100644 |
| 36 | --- a/lib/ext2fs/closefs.c |
| 37 | +++ b/lib/ext2fs/closefs.c |
| 38 | @@ -287,7 +287,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags) |
| 39 | dgrp_t j; |
| 40 | #endif |
| 41 | char *group_ptr; |
| 42 | - int old_desc_blocks; |
| 43 | + blk64_t old_desc_blocks; |
| 44 | struct ext2fs_numeric_progress_struct progress; |
| 45 | |
| 46 | EXT2_CHECK_MAGIC(fs, EXT2_ET_MAGIC_EXT2FS_FILSYS); |
| 47 | @@ -346,7 +346,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags) |
| 48 | group_ptr = (char *) group_shadow; |
| 49 | if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) { |
| 50 | old_desc_blocks = fs->super->s_first_meta_bg; |
| 51 | - if (old_desc_blocks > fs->super->s_first_meta_bg) |
| 52 | + if (old_desc_blocks > fs->desc_blocks) |
| 53 | old_desc_blocks = fs->desc_blocks; |
| 54 | } else |
| 55 | old_desc_blocks = fs->desc_blocks; |
| 56 | -- |
| 57 | 2.1.0 |
| 58 | |