Date: Sun, 5 Jun 2022 16:20:51 GMT From: Matthias Andree <mandree@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org Subject: git: 78d13baac324 - 2022Q2 - sysutils/e2fsprogs: fix CVE-2022-1304 Message-ID: <202206051620.255GKpht088218@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch 2022Q2 has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=78d13baac3249e28108e062b899780bf09b53f5d commit 78d13baac3249e28108e062b899780bf09b53f5d Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2022-06-05 15:21:42 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2022-06-05 16:20:48 +0000 sysutils/e2fsprogs: fix CVE-2022-1304 Take patch from linux-ext4@ mailing list to fix Security: CVE-2022-1304 Security: a58f3fde-e4e0-11ec-8340-2d623369b8b5 MFH: 2022Q2 (cherry picked from commit 83ce641b79e305333e8444b53821f12a21b753e6) --- sysutils/e2fsprogs/Makefile | 2 +- sysutils/e2fsprogs/files/patch-CVE-2022-1304 | 57 ++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 1 deletion(-) diff --git a/sysutils/e2fsprogs/Makefile b/sysutils/e2fsprogs/Makefile index 010d421b860b..8139fdc24b54 100644 --- a/sysutils/e2fsprogs/Makefile +++ b/sysutils/e2fsprogs/Makefile @@ -14,7 +14,7 @@ PORTNAME= e2fsprogs PORTVERSION= 1.46.5 -PORTREVISION?= 0 +PORTREVISION?= 1 CATEGORIES?= sysutils MASTER_SITES= KERNEL_ORG/linux/kernel/people/tytso/${PORTNAME}/v${PORTVERSION} diff --git a/sysutils/e2fsprogs/files/patch-CVE-2022-1304 b/sysutils/e2fsprogs/files/patch-CVE-2022-1304 new file mode 100644 index 000000000000..dec6e97b76be --- /dev/null +++ b/sysutils/e2fsprogs/files/patch-CVE-2022-1304 @@ -0,0 +1,57 @@ +From: Lukas Czerner <lczerner@redhat.com> +To: linux-ext4@vger.kernel.org +Cc: tytso@mit.edu, Nils Bars <nils_bars@t-online.de> +Subject: [PATCH] e2fsprogs: add sanity check to extent manipulation +Date: Thu, 21 Apr 2022 19:31:48 +0200 +Message-Id: <20220421173148.20193-1-lczerner@redhat.com> +List-ID: <linux-ext4.vger.kernel.org> +X-Mailing-List: linux-ext4@vger.kernel.org + +It is possible to have a corrupted extent tree in such a way that a leaf +node contains zero extents in it. Currently if that happens and we try +to traverse the tree we can end up accessing wrong data, or possibly +even uninitialized memory. Make sure we don't do that. + +Additionally make sure that we have a sane number of bytes passed to +memmove() in ext2fs_extent_delete(). + +Note that e2fsck is currently unable to spot and fix such corruption in +pass1. + +Signed-off-by: Lukas Czerner <lczerner@redhat.com> +Reported-by: Nils Bars <nils_bars@t-online.de> +Addressess: https://bugzilla.redhat.com/show_bug.cgi?id=2068113 +--- + lib/ext2fs/extent.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c +index b324c7b0..1a206a16 100644 +--- ./lib/ext2fs/extent.c ++++ b/lib/ext2fs/extent.c +@@ -495,6 +495,10 @@ retry: + ext2fs_le16_to_cpu(eh->eh_entries); + newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max); + ++ /* Make sure there is at least one extent present */ ++ if (newpath->left <= 0) ++ return EXT2_ET_EXTENT_NO_DOWN; ++ + if (path->left > 0) { + ix++; + newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block); +@@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags) + + cp = path->curr; + ++ /* Sanity check before memmove() */ ++ if (path->left < 0) ++ return EXT2_ET_EXTENT_LEAF_BAD; ++ + if (path->left) { + memmove(cp, cp + sizeof(struct ext3_extent_idx), + path->left * sizeof(struct ext3_extent_idx)); +-- +2.35.1 + +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202206051620.255GKpht088218>