diff options
Diffstat (limited to 'system/e2fsprogs')
-rw-r--r-- | system/e2fsprogs/APKBUILD | 10 | ||||
-rw-r--r-- | system/e2fsprogs/CVE-2019-5094.patch | 211 |
2 files changed, 219 insertions, 2 deletions
diff --git a/system/e2fsprogs/APKBUILD b/system/e2fsprogs/APKBUILD index 30d291ec0..ba7869fe8 100644 --- a/system/e2fsprogs/APKBUILD +++ b/system/e2fsprogs/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=e2fsprogs pkgver=1.45.3 -pkgrel=0 +pkgrel=1 pkgdesc="Standard ext2/3/4 filesystem utilities" url="http://e2fsprogs.sourceforge.net" arch="all" @@ -13,8 +13,13 @@ makedepends="$depends_dev linux-headers" subpackages="$pkgname-lang $pkgname-dev $pkgname-doc libcom_err $pkgname-libs" source="https://www.kernel.org/pub/linux/kernel/people/tytso/$pkgname/v$pkgver/$pkgname-$pkgver.tar.xz header-fix.patch + CVE-2019-5094.patch " +# secfixes: +# 1.45.3-r1: +# - CVE-2019-5094 + build () { ./configure \ --build=$CBUILD \ @@ -55,4 +60,5 @@ libcom_err() { } sha512sums="9f898d353af48a1d357cb01f64187b6dfef671bb2e0450438530fe4fa9454fccc6b755c9469d81e702e6d85a4defd02ae0a493897a4b3284cb112e8444c9bf52 e2fsprogs-1.45.3.tar.xz -34ca45c64a132bb4b507cd4ffb763c6d1b7979eccfed20f63417e514871b47639d32f2a3ecff090713c21a0f02ac503d5093960c80401d64081c592d01af279d header-fix.patch" +34ca45c64a132bb4b507cd4ffb763c6d1b7979eccfed20f63417e514871b47639d32f2a3ecff090713c21a0f02ac503d5093960c80401d64081c592d01af279d header-fix.patch +f82cf01938eb150446a7014ba48d51578ace42aecd427e225a3640033a4d8f2ec5a29dd02a3c0dfa45d2140cb2187303397c2d0124a2f987304c25182cc9578a CVE-2019-5094.patch" diff --git a/system/e2fsprogs/CVE-2019-5094.patch b/system/e2fsprogs/CVE-2019-5094.patch new file mode 100644 index 000000000..21baf660a --- /dev/null +++ b/system/e2fsprogs/CVE-2019-5094.patch @@ -0,0 +1,211 @@ +From 8dbe7b475ec5e91ed767239f0e85880f416fc384 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Sun, 1 Sep 2019 00:59:16 -0400 +Subject: libsupport: add checks to prevent buffer overrun bugs in quota code + +A maliciously corrupted file systems can trigger buffer overruns in +the quota code used by e2fsck. To fix this, add sanity checks to the +quota header fields as well as to block number references in the quota +tree. + +Addresses: CVE-2019-5094 +Addresses: TALOS-2019-0887 +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +--- + lib/support/mkquota.c | 1 + + lib/support/quotaio_tree.c | 71 ++++++++++++++++++++++++++++++---------------- + lib/support/quotaio_v2.c | 28 ++++++++++++++++++ + 3 files changed, 76 insertions(+), 24 deletions(-) + +diff --git a/lib/support/mkquota.c b/lib/support/mkquota.c +index 0b9e7665..ddb53124 100644 +--- a/lib/support/mkquota.c ++++ b/lib/support/mkquota.c +@@ -671,6 +671,7 @@ errcode_t quota_compare_and_update(quota_ctx_t qctx, enum quota_type qtype, + err = qh.qh_ops->scan_dquots(&qh, scan_dquots_callback, &scan_data); + if (err) { + log_debug("Error scanning dquots"); ++ *usage_inconsistent = 1; + goto out_close_qh; + } + +diff --git a/lib/support/quotaio_tree.c b/lib/support/quotaio_tree.c +index a7c2028c..6cc4fb5b 100644 +--- a/lib/support/quotaio_tree.c ++++ b/lib/support/quotaio_tree.c +@@ -540,6 +540,17 @@ struct dquot *qtree_read_dquot(struct quota_handle *h, qid_t id) + return dquot; + } + ++static int check_reference(struct quota_handle *h, unsigned int blk) ++{ ++ if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks) { ++ log_err("Illegal reference (%u >= %u) in %s quota file", ++ blk, h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks, ++ quota_type2name(h->qh_type)); ++ return -1; ++ } ++ return 0; ++} ++ + /* + * Scan all dquots in file and call callback on each + */ +@@ -558,7 +569,7 @@ static int report_block(struct dquot *dquot, unsigned int blk, char *bitmap, + int entries, i; + + if (!buf) +- return 0; ++ return -1; + + set_bit(bitmap, blk); + read_blk(dquot->dq_h, blk, buf); +@@ -580,23 +591,12 @@ static int report_block(struct dquot *dquot, unsigned int blk, char *bitmap, + return entries; + } + +-static void check_reference(struct quota_handle *h, unsigned int blk) +-{ +- if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks) +- log_err("Illegal reference (%u >= %u) in %s quota file. " +- "Quota file is probably corrupted.\n" +- "Please run e2fsck (8) to fix it.", +- blk, +- h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks, +- quota_type2name(h->qh_type)); +-} +- + static int report_tree(struct dquot *dquot, unsigned int blk, int depth, + char *bitmap, + int (*process_dquot) (struct dquot *, void *), + void *data) + { +- int entries = 0, i; ++ int entries = 0, ret, i; + dqbuf_t buf = getdqbuf(); + __le32 *ref = (__le32 *) buf; + +@@ -607,22 +607,40 @@ static int report_tree(struct dquot *dquot, unsigned int blk, int depth, + if (depth == QT_TREEDEPTH - 1) { + for (i = 0; i < QT_BLKSIZE >> 2; i++) { + blk = ext2fs_le32_to_cpu(ref[i]); +- check_reference(dquot->dq_h, blk); +- if (blk && !get_bit(bitmap, blk)) +- entries += report_block(dquot, blk, bitmap, +- process_dquot, data); ++ if (check_reference(dquot->dq_h, blk)) { ++ entries = -1; ++ goto errout; ++ } ++ if (blk && !get_bit(bitmap, blk)) { ++ ret = report_block(dquot, blk, bitmap, ++ process_dquot, data); ++ if (ret < 0) { ++ entries = ret; ++ goto errout; ++ } ++ entries += ret; ++ } + } + } else { + for (i = 0; i < QT_BLKSIZE >> 2; i++) { + blk = ext2fs_le32_to_cpu(ref[i]); + if (blk) { +- check_reference(dquot->dq_h, blk); +- entries += report_tree(dquot, blk, depth + 1, +- bitmap, process_dquot, +- data); ++ if (check_reference(dquot->dq_h, blk)) { ++ entries = -1; ++ goto errout; ++ } ++ ret = report_tree(dquot, blk, depth + 1, ++ bitmap, process_dquot, ++ data); ++ if (ret < 0) { ++ entries = ret; ++ goto errout; ++ } ++ entries += ret; + } + } + } ++errout: + freedqbuf(buf); + return entries; + } +@@ -642,6 +660,7 @@ int qtree_scan_dquots(struct quota_handle *h, + int (*process_dquot) (struct dquot *, void *), + void *data) + { ++ int ret; + char *bitmap; + struct v2_mem_dqinfo *v2info = &h->qh_info.u.v2_mdqi; + struct qtree_mem_dqinfo *info = &v2info->dqi_qtree; +@@ -655,10 +674,14 @@ int qtree_scan_dquots(struct quota_handle *h, + ext2fs_free_mem(&dquot); + return -1; + } +- v2info->dqi_used_entries = report_tree(dquot, QT_TREEOFF, 0, bitmap, +- process_dquot, data); ++ ret = report_tree(dquot, QT_TREEOFF, 0, bitmap, process_dquot, data); ++ if (ret < 0) ++ goto errout; ++ v2info->dqi_used_entries = ret; + v2info->dqi_data_blocks = find_set_bits(bitmap, info->dqi_blocks); ++ ret = 0; ++errout: + ext2fs_free_mem(&bitmap); + ext2fs_free_mem(&dquot); +- return 0; ++ return ret; + } +diff --git a/lib/support/quotaio_v2.c b/lib/support/quotaio_v2.c +index 38be2a34..73906676 100644 +--- a/lib/support/quotaio_v2.c ++++ b/lib/support/quotaio_v2.c +@@ -175,6 +175,8 @@ static int v2_check_file(struct quota_handle *h, int type, int fmt) + static int v2_init_io(struct quota_handle *h) + { + struct v2_disk_dqinfo ddqinfo; ++ struct v2_mem_dqinfo *info; ++ __u64 filesize; + + h->qh_info.u.v2_mdqi.dqi_qtree.dqi_entry_size = + sizeof(struct v2r1_disk_dqblk); +@@ -185,6 +187,32 @@ static int v2_init_io(struct quota_handle *h) + sizeof(ddqinfo)) != sizeof(ddqinfo)) + return -1; + v2_disk2memdqinfo(&h->qh_info, &ddqinfo); ++ ++ /* Check to make sure quota file info is sane */ ++ info = &h->qh_info.u.v2_mdqi; ++ if (ext2fs_file_get_lsize(h->qh_qf.e2_file, &filesize)) ++ return -1; ++ if ((filesize > (1U << 31)) || ++ (info->dqi_qtree.dqi_blocks > ++ (filesize + QT_BLKSIZE - 1) >> QT_BLKSIZE_BITS)) { ++ log_err("Quota inode %u corrupted: file size %llu; " ++ "dqi_blocks %u", h->qh_qf.ino, ++ filesize, info->dqi_qtree.dqi_blocks); ++ return -1; ++ } ++ if (info->dqi_qtree.dqi_free_blk >= info->dqi_qtree.dqi_blocks) { ++ log_err("Quota inode %u corrupted: free_blk %u; dqi_blocks %u", ++ h->qh_qf.ino, info->dqi_qtree.dqi_free_blk, ++ info->dqi_qtree.dqi_blocks); ++ return -1; ++ } ++ if (info->dqi_qtree.dqi_free_entry >= info->dqi_qtree.dqi_blocks) { ++ log_err("Quota inode %u corrupted: free_entry %u; " ++ "dqi_blocks %u", h->qh_qf.ino, ++ info->dqi_qtree.dqi_free_entry, ++ info->dqi_qtree.dqi_blocks); ++ return -1; ++ } + return 0; + } + +-- +cgit 1.2-0.3.lf.el7 + |