[e2fsprogs/f21] Fix CVE-2015-1572 annd other bugs

Eric Sandeen sandeen at fedoraproject.org
Tue Feb 24 17:27:38 UTC 2015 

commit 7a507f9bcdf9700215e5a60f3f595afe6d31780b
Author: Eric Sandeen <sandeen at redhat.com>
Date:   Tue Feb 24 11:27:20 2015 -0600

    Fix CVE-2015-1572 annd other bugs

 e2fsprogs-1.42.12-closefs-cve.patch       | 51 ++++++++++++++++++++++++++
 e2fsprogs-1.42.12-dumpe2fs-segfault.patch | 25 +++++++++++++
 e2fsprogs-1.42.12-resize2fs-fsck.patch    | 59 +++++++++++++++++++++++++++++++
 e2fsprogs.spec                            | 13 ++++++-
 4 files changed, 147 insertions(+), 1 deletion(-)
---
diff --git a/e2fsprogs-1.42.12-closefs-cve.patch b/e2fsprogs-1.42.12-closefs-cve.patch
new file mode 100644
index 0000000..af219c4
--- /dev/null
+++ b/e2fsprogs-1.42.12-closefs-cve.patch
@@ -0,0 +1,51 @@
+commit 49d0fe2a14f2a23da2fe299643379b8c1d37df73
+Author: Theodore Ts'o <tytso at mit.edu>
+Date:   Fri Feb 6 12:46:39 2015 -0500
+
+    libext2fs: fix potential buffer overflow in closefs()
+    
+    The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if
+    s_first_meta_bg is too big" had a typo in the fix for
+    ext2fs_closefs().  In practice most of the security exposure was from
+    the openfs path, since this meant if there was a carefully crafted
+    file system, buffer overrun would be triggered when the file system was
+    opened.
+    
+    However, if corrupted file system didn't trip over some corruption
+    check, and then the file system was modified via tune2fs or debugfs,
+    such that the superblock was marked dirty and then written out via the
+    closefs() path, it's possible that the buffer overrun could be
+    triggered when the file system is closed.
+    
+    Also clear up a signed vs unsigned warning while we're at it.
+    
+    Thanks to Nick Kralevich <nnk at google.com> for asking me to look at
+    compiler warning in the code in question, which led me to notice the
+    bug in f66e6ce4446.
+    
+    Addresses: CVE-2015-1572
+    
+    Signed-off-by: Theodore Ts'o <tytso at mit.edu>
+
+diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c
+index 1f99113..ab5b2fb 100644
+--- a/lib/ext2fs/closefs.c
++++ b/lib/ext2fs/closefs.c
+@@ -287,7 +287,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
+ 	dgrp_t		j;
+ #endif
+ 	char	*group_ptr;
+-	int	old_desc_blocks;
++	blk64_t	old_desc_blocks;
+ 	struct ext2fs_numeric_progress_struct progress;
+ 
+ 	EXT2_CHECK_MAGIC(fs, EXT2_ET_MAGIC_EXT2FS_FILSYS);
+@@ -346,7 +346,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
+ 	group_ptr = (char *) group_shadow;
+ 	if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
+ 		old_desc_blocks = fs->super->s_first_meta_bg;
+-		if (old_desc_blocks > fs->super->s_first_meta_bg)
++		if (old_desc_blocks > fs->desc_blocks)
+ 			old_desc_blocks = fs->desc_blocks;
+ 	} else
+ 		old_desc_blocks = fs->desc_blocks;
diff --git a/e2fsprogs-1.42.12-dumpe2fs-segfault.patch b/e2fsprogs-1.42.12-dumpe2fs-segfault.patch
new file mode 100644
index 0000000..439a00f
--- /dev/null
+++ b/e2fsprogs-1.42.12-dumpe2fs-segfault.patch
@@ -0,0 +1,25 @@
+commit fecb231f6fc83cf4b4ddf7ec34ace3723803a499
+Author: Darrick J. Wong <darrick.wong at oracle.com>
+Date:   Fri Nov 7 21:26:14 2014 -0500
+
+    dumpe2fs: don't crash when the user provides no block device argument
+    
+    If the user doesn't provide any arguments, the guard fails to run and
+    the whole thing segfaults on ext2fs_open2().  Don't do that.
+    
+    Signed-off-by: Darrick J. Wong <darrick.wong at oracle.com>
+    Signed-off-by: Theodore Ts'o <tytso at mit.edu>
+
+diff --git a/misc/dumpe2fs.c b/misc/dumpe2fs.c
+index 1eae5a3..4185d6e 100644
+--- a/misc/dumpe2fs.c
++++ b/misc/dumpe2fs.c
+@@ -575,7 +575,7 @@ int main (int argc, char ** argv)
+ 			usage();
+ 		}
+ 	}
+-	if (argc - 1 > optind) {
++	if (optind != argc - 1) {
+ 		usage();
+ 		exit(1);
+ 	}
diff --git a/e2fsprogs-1.42.12-resize2fs-fsck.patch b/e2fsprogs-1.42.12-resize2fs-fsck.patch
new file mode 100644
index 0000000..40f34e6
--- /dev/null
+++ b/e2fsprogs-1.42.12-resize2fs-fsck.patch
@@ -0,0 +1,59 @@
+commit 0462fd6db55de28d7e087d8d06ab20339acd8f67
+Author: Eric Sandeen <sandeen at sandeen.net>
+Date:   Sun Dec 14 19:08:59 2014 -0500
+
+    resize2fs: don't require fsck to print min size
+    
+    My previous change ended up requiring that the filesystem
+    be fsck'd after the last mount, even if we are only querying
+    the minimum size.  This is a bit draconian, and it burned
+    the Fedora installer, which wants to calculate minimum size
+    for every filesystem in the box at install time, which in turn
+    requires a full fsck of every filesystem.
+    
+    Try this one more time, and separate out the tests to make things
+    a bit more clear.  If we're only printing the min size, don't
+    require the fsck, as this is a bit less dangerous/critical.
+    
+    Signed-off-by: Eric Sandeen <sandeen at redhat.com>
+    Signed-off-by: Theodore Ts'o <tytso at mit.edu>
+
+diff --git a/resize/main.c b/resize/main.c
+index 983d8c2..9a35af0 100644
+--- a/resize/main.c
++++ b/resize/main.c
+@@ -321,10 +321,30 @@ int main (int argc, char ** argv)
+ 	}
+ 	fs->default_bitmap_type = EXT2FS_BMAP64_RBTREE;
+ 
+-	if (!(mount_flags & EXT2_MF_MOUNTED)) {
+-		if (!force && ((fs->super->s_lastcheck < fs->super->s_mtime) ||
+-			       (fs->super->s_state & EXT2_ERROR_FS) ||
+-			       ((fs->super->s_state & EXT2_VALID_FS) == 0))) {
++	/*
++	 * Before acting on an unmounted filesystem, make sure it's ok,
++	 * unless the user is forcing it.
++	 *
++	 * We do ERROR and VALID checks even if we're only printing the
++	 * minimimum size, because traversal of a badly damaged filesystem
++	 * can cause issues as well.  We don't require it to be fscked after
++	 * the last mount time in this case, though, as this is a bit less
++	 * risky.
++	 */
++	if (!force && !(mount_flags & EXT2_MF_MOUNTED)) {
++		int checkit = 0;
++
++		if (fs->super->s_state & EXT2_ERROR_FS)
++			checkit = 1;
++
++		if ((fs->super->s_state & EXT2_VALID_FS) == 0)
++			checkit = 1;
++
++		if ((fs->super->s_lastcheck < fs->super->s_mtime) &&
++		    !print_min_size)
++			checkit = 1;
++
++		if (checkit) {
+ 			fprintf(stderr,
+ 				_("Please run 'e2fsck -f %s' first.\n\n"),
+ 				device_name);
diff --git a/e2fsprogs.spec b/e2fsprogs.spec
index eeb6078..3fc4fe3 100644
--- a/e2fsprogs.spec
+++ b/e2fsprogs.spec
@@ -1,7 +1,7 @@
 Summary: Utilities for managing ext2, ext3, and ext4 filesystems
 Name: e2fsprogs
 Version: 1.42.12
-Release: 2%{?dist}
+Release: 3%{?dist}
 
 # License tags based on COPYING file distinctions for various components
 License: GPLv2
@@ -12,6 +12,9 @@ Source2: e2fsck.conf
 
 Patch1: e2fsprogs-1.40.4-sb_feature_check_ignore.patch
 Patch2: e2fsprogs-1.42.12-use-after-free-fix.patch
+Patch3: e2fsprogs-1.42.12-closefs-cve.patch
+Patch4: e2fsprogs-1.42.12-dumpe2fs-segfault.patch
+Patch5: e2fsprogs-1.42.12-resize2fs-fsck.patch
 
 Url: http://e2fsprogs.sourceforge.net/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -152,6 +155,9 @@ It was originally inspired by the Multics SubSystem library.
 # after an selinux install...
 %patch1 -p1 -b .featurecheck
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
 
 %build
 %configure --enable-elf-shlibs --enable-nls --disable-uuidd --disable-fsck \
@@ -333,6 +339,11 @@ exit 0
 %{_libdir}/pkgconfig/ss.pc
 
 %changelog
+* Tue Feb 24 2015 Eric Sandeen <sandeen at redhat.com> 1.42.12-3
+- Fix potential buffer overflow in closefs (#1193947, CVE-2015-1572)
+- Fix dumpe2fs segfault with no arguments (#1194063)
+- Don't require fsck prior to resize2fs -P (#1170803)
+
 * Tue Feb 17 2015 Eric Sandeen <sandeen at redhat.com> 1.42.12-2
 - Fix use after free (#1192861)
 - Fix time-based fsck if set in superblock (e2fsck.conf, #963283)

More information about the scm-commits mailing list