* Tue Dec 11 2007 Eric Sandeen <esandeen@redhat.com> 1.40.2-14e2fsprogs-1_40_2-14_fc9

- Fix integer overflows (#414591 / CVE-2007-5497)
author: Eric Sandeen <sandeen@fedoraproject.org> 2007-12-12 20:16:57 +0000
committer: Eric Sandeen <sandeen@fedoraproject.org> 2007-12-12 20:16:57 +0000
commit: e7a9631152f124d9f9f8e674ec466d428eb6c8ef (patch)
tree: 14781a84f6f2c9b06e70493a05d95a0cd283e45b
parent: ecf110c62357836c58f665433c773edf7ba5fcb3 (diff)
download: e2fsprogs-e7a9631152f124d9f9f8e674ec466d428eb6c8ef.tar.gz
e2fsprogs-e7a9631152f124d9f9f8e674ec466d428eb6c8ef.tar.xz
e2fsprogs-e7a9631152f124d9f9f8e674ec466d428eb6c8ef.zip
2 files changed, 329 insertions, 1 deletions
diff --git a/e2fsprogs-1.40.2-integer-overflows.patch b/e2fsprogs-1.40.2-integer-overflows.patch
new file mode 100644
index 0000000..053c9e2
--- /dev/null
+++ b/e2fsprogs-1.40.2-integer-overflows.patch
@@ -0,0 +1,322 @@
+From ee01079a17bfecd17292ccd60058056fb3a8ba6c Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Fri, 9 Nov 2007 19:01:06 -0500
+Subject: [PATCH] libext2fs: Add checks to prevent integer overflows passed to malloc()
+
+This addresses a potential security vulnerability where an untrusted
+filesystem can be corrupted in such a way that a program using
+libext2fs will allocate a buffer which is far too small.  This can
+lead to either a crash or potentially a heap-based buffer overflow
+crash.  No known exploits exist, but main concern is where an
+untrusted user who possesses privileged access in a guest Xen
+environment could corrupt a filesystem which is then accessed by the
+pygrub program, running as root in the dom0 host environment, thus
+allowing the untrusted user to gain privileged access in the host OS.
+
+Thanks to the McAfee AVERT Research group for reporting this issue.
+
+Addresses CVE-2007-5497.
+
+Signed-off-by: Rafal Wojtczuk <rafal_wojtczuk@mcafee.com>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+---
+ lib/ext2fs/badblocks.c  |    2 +-
+ lib/ext2fs/bb_inode.c   |    2 +-
+ lib/ext2fs/block.c      |    2 +-
+ lib/ext2fs/bmap.c       |    2 +-
+ lib/ext2fs/bmove.c      |    2 +-
+ lib/ext2fs/brel_ma.c    |    3 ++-
+ lib/ext2fs/closefs.c    |    3 +--
+ lib/ext2fs/dblist.c     |    3 ++-
+ lib/ext2fs/dupfs.c      |    2 +-
+ lib/ext2fs/ext2fs.h     |    7 +++++++
+ lib/ext2fs/fileio.c     |    2 +-
+ lib/ext2fs/icount.c     |    3 ++-
+ lib/ext2fs/initialize.c |    2 +-
+ lib/ext2fs/inode.c      |   10 +++++-----
+ lib/ext2fs/irel_ma.c    |   12 ++++++++----
+ lib/ext2fs/openfs.c     |    2 +-
+ lib/ext2fs/res_gdt.c    |    2 +-
+ 17 files changed, 37 insertions(+), 24 deletions(-)
+
+Index: e2fsprogs-1.40.2/lib/ext2fs/badblocks.c
+===================================================================
+--- e2fsprogs-1.40.2.orig/lib/ext2fs/badblocks.c
++++ e2fsprogs-1.40.2/lib/ext2fs/badblocks.c
+@@ -42,7 +42,7 @@ static errcode_t make_u32_list(int size,
+ 	bb->magic = EXT2_ET_MAGIC_BADBLOCKS_LIST;
+ 	bb->size = size ? size : 10;
+ 	bb->num = num;
+-	retval = ext2fs_get_mem(bb->size * sizeof(blk_t), &bb->list);
++	retval = ext2fs_get_array(bb->size, sizeof(blk_t), &bb->list);
+ 	if (retval) {
+ 		ext2fs_free_mem(&bb);
+ 		return retval;
+Index: e2fsprogs-1.40.2/lib/ext2fs/bb_inode.c
+===================================================================
+--- e2fsprogs-1.40.2.orig/lib/ext2fs/bb_inode.c
++++ e2fsprogs-1.40.2/lib/ext2fs/bb_inode.c
+@@ -68,7 +68,7 @@ errcode_t ext2fs_update_bb_inode(ext2_fi
+ 	rec.bad_block_count = 0;
+ 	rec.ind_blocks_size = rec.ind_blocks_ptr = 0;
+ 	rec.max_ind_blocks = 10;
+-	retval = ext2fs_get_mem(rec.max_ind_blocks * sizeof(blk_t),
++	retval = ext2fs_get_array(rec.max_ind_blocks, sizeof(blk_t),
+ 				&rec.ind_blocks);
+ 	if (retval)
+ 		return retval;
+Index: e2fsprogs-1.40.2/lib/ext2fs/block.c
+===================================================================
+--- e2fsprogs-1.40.2.orig/lib/ext2fs/block.c
++++ e2fsprogs-1.40.2/lib/ext2fs/block.c
+@@ -313,7 +313,7 @@ errcode_t ext2fs_block_iterate2(ext2_fil
+ 	if (block_buf) {
+ 		ctx.ind_buf = block_buf;
+ 	} else {
+-		retval = ext2fs_get_mem(fs->blocksize * 3, &ctx.ind_buf);
++		retval = ext2fs_get_array(3, fs->blocksize, &ctx.ind_buf);
+ 		if (retval)
+ 			return retval;
+ 	}
+Index: e2fsprogs-1.40.2/lib/ext2fs/bmap.c
+===================================================================
+--- e2fsprogs-1.40.2.orig/lib/ext2fs/bmap.c
++++ e2fsprogs-1.40.2/lib/ext2fs/bmap.c
+@@ -158,7 +158,7 @@ errcode_t ext2fs_bmap(ext2_filsys fs, ex
+ 	addr_per_block = (blk_t) fs->blocksize >> 2;
+ 
+ 	if (!block_buf) {
+-		retval = ext2fs_get_mem(fs->blocksize * 2, &buf);
++		retval = ext2fs_get_array(2, fs->blocksize, &buf);
+ 		if (retval)
+ 			return retval;
+ 		block_buf = buf;
+Index: e2fsprogs-1.40.2/lib/ext2fs/bmove.c
+===================================================================
+--- e2fsprogs-1.40.2.orig/lib/ext2fs/bmove.c
++++ e2fsprogs-1.40.2/lib/ext2fs/bmove.c
+@@ -108,7 +108,7 @@ errcode_t ext2fs_move_blocks(ext2_filsys
+ 	pb.alloc_map = alloc_map ? alloc_map : fs->block_map;
+ 	pb.flags = flags;
+ 	
+-	retval = ext2fs_get_mem(fs->blocksize * 4, &block_buf);
++	retval = ext2fs_get_array(4, fs->blocksize, &block_buf);
+ 	if (retval)
+ 		return retval;
+ 	pb.buf = block_buf + fs->blocksize * 3;
+Index: e2fsprogs-1.40.2/lib/ext2fs/brel_ma.c
+===================================================================
+--- e2fsprogs-1.40.2.orig/lib/ext2fs/brel_ma.c
++++ e2fsprogs-1.40.2/lib/ext2fs/brel_ma.c
+@@ -75,7 +75,8 @@ errcode_t ext2fs_brel_memarray_create(ch
+ 	
+ 	size = (size_t) (sizeof(struct ext2_block_relocate_entry) *
+ 			 (max_block+1));
+-	retval = ext2fs_get_mem(size, &ma->entries);
++	retval = ext2fs_get_array(max_block+1,
++		sizeof(struct ext2_block_relocate_entry), &ma->entries);
+ 	if (retval)
+ 		goto errout;
+ 	memset(ma->entries, 0, size);
+Index: e2fsprogs-1.40.2/lib/ext2fs/closefs.c
+===================================================================
+--- e2fsprogs-1.40.2.orig/lib/ext2fs/closefs.c
++++ e2fsprogs-1.40.2/lib/ext2fs/closefs.c
+@@ -226,8 +226,7 @@ errcode_t ext2fs_flush(ext2_filsys fs)
+ 		retval = ext2fs_get_mem(SUPERBLOCK_SIZE, &super_shadow);
+ 		if (retval)
+ 			goto errout;
+-		retval = ext2fs_get_mem((size_t)(fs->blocksize *
+-						 fs->desc_blocks),
++		retval = ext2fs_get_array(fs->blocksize, fs->desc_blocks,
+ 					&group_shadow);
+ 		if (retval)
+ 			goto errout;
+Index: e2fsprogs-1.40.2/lib/ext2fs/dblist.c
+===================================================================
+--- e2fsprogs-1.40.2.orig/lib/ext2fs/dblist.c
++++ e2fsprogs-1.40.2/lib/ext2fs/dblist.c
+@@ -85,7 +85,8 @@ static errcode_t make_dblist(ext2_filsys
+ 	}
+ 	len = (size_t) sizeof(struct ext2_db_entry) * dblist->size;
+ 	dblist->count = count;
+-	retval = ext2fs_get_mem(len, &dblist->list);
++	retval = ext2fs_get_array(dblist->size, sizeof(struct ext2_db_entry),
++		&dblist->list);
+ 	if (retval)
+ 		goto cleanup;
+ 	
+Index: e2fsprogs-1.40.2/lib/ext2fs/dupfs.c
+===================================================================
+--- e2fsprogs-1.40.2.orig/lib/ext2fs/dupfs.c
++++ e2fsprogs-1.40.2/lib/ext2fs/dupfs.c
+@@ -59,7 +59,7 @@ errcode_t ext2fs_dup_handle(ext2_filsys 
+ 		goto errout;
+ 	memcpy(fs->orig_super, src->orig_super, SUPERBLOCK_SIZE);
+ 
+-	retval = ext2fs_get_mem((size_t) fs->desc_blocks * fs->blocksize,
++	retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize,
+ 				&fs->group_desc);
+ 	if (retval)
+ 		goto errout;
+Index: e2fsprogs-1.40.2/lib/ext2fs/ext2fs.h
+===================================================================
+--- e2fsprogs-1.40.2.orig/lib/ext2fs/ext2fs.h
++++ e2fsprogs-1.40.2/lib/ext2fs/ext2fs.h
+@@ -965,6 +965,7 @@ extern errcode_t ext2fs_write_bb_FILE(ex
+ 
+ /* inline functions */
+ extern errcode_t ext2fs_get_mem(unsigned long size, void *ptr);
++extern errcode_t ext2fs_get_array(unsigned long count, unsigned long size, void *ptr);
+ extern errcode_t ext2fs_free_mem(void *ptr);
+ extern errcode_t ext2fs_resize_mem(unsigned long old_size,
+ 				   unsigned long size, void *ptr);
+@@ -1018,6 +1019,12 @@ _INLINE_ errcode_t ext2fs_get_mem(unsign
+ 	memcpy(ptr, &pp, sizeof (pp));
+ 	return 0;
+ }
++_INLINE_ errcode_t ext2fs_get_array(unsigned long count, unsigned long size, void *ptr)
++{
++	if (count && (-1UL)/count<size)
++		return EXT2_ET_NO_MEMORY; //maybe define EXT2_ET_OVERFLOW ?
++	return ext2fs_get_mem(count*size, ptr);
++}
+ 
+ /*
+  * Free memory
+Index: e2fsprogs-1.40.2/lib/ext2fs/fileio.c
+===================================================================
+--- e2fsprogs-1.40.2.orig/lib/ext2fs/fileio.c
++++ e2fsprogs-1.40.2/lib/ext2fs/fileio.c
+@@ -65,7 +65,7 @@ errcode_t ext2fs_file_open2(ext2_filsys 
+ 			goto fail;
+ 	}
+ 	
+-	retval = ext2fs_get_mem(fs->blocksize * 3, &file->buf);
++	retval = ext2fs_get_array(3, fs->blocksize, &file->buf);
+ 	if (retval)
+ 		goto fail;
+ 
+Index: e2fsprogs-1.40.2/lib/ext2fs/icount.c
+===================================================================
+--- e2fsprogs-1.40.2.orig/lib/ext2fs/icount.c
++++ e2fsprogs-1.40.2/lib/ext2fs/icount.c
+@@ -237,7 +237,8 @@ errcode_t ext2fs_create_icount2(ext2_fil
+ 	printf("Icount allocated %u entries, %d bytes.\n",
+ 	       icount->size, bytes);
+ #endif
+-	retval = ext2fs_get_mem(bytes, &icount->list);
++	retval = ext2fs_get_array(icount->size, sizeof(struct ext2_icount_el),
++			 &icount->list);
+ 	if (retval)
+ 		goto errout;
+ 	memset(icount->list, 0, bytes);
+Index: e2fsprogs-1.40.2/lib/ext2fs/initialize.c
+===================================================================
+--- e2fsprogs-1.40.2.orig/lib/ext2fs/initialize.c
++++ e2fsprogs-1.40.2/lib/ext2fs/initialize.c
+@@ -349,7 +349,7 @@ ipg_retry:
+ 
+ 	ext2fs_free_mem(&buf);
+ 
+-	retval = ext2fs_get_mem((size_t) fs->desc_blocks * fs->blocksize,
++	retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize,
+ 				&fs->group_desc);
+ 	if (retval)
+ 		goto cleanup;
+Index: e2fsprogs-1.40.2/lib/ext2fs/inode.c
+===================================================================
+--- e2fsprogs-1.40.2.orig/lib/ext2fs/inode.c
++++ e2fsprogs-1.40.2/lib/ext2fs/inode.c
+@@ -90,9 +90,9 @@ static errcode_t create_icache(ext2_fils
+ 	fs->icache->cache_last = -1;
+ 	fs->icache->cache_size = 4;
+ 	fs->icache->refcount = 1;
+-	retval = ext2fs_get_mem(sizeof(struct ext2_inode_cache_ent)
+-				* fs->icache->cache_size,
+-				&fs->icache->cache);
++	retval = ext2fs_get_array(fs->icache->cache_size,
++				  sizeof(struct ext2_inode_cache_ent),
++				  &fs->icache->cache);
+ 	if (retval) {
+ 		ext2fs_free_mem(&fs->icache->buffer);
+ 		ext2fs_free_mem(&fs->icache);
+@@ -146,8 +146,8 @@ errcode_t ext2fs_open_inode_scan(ext2_fi
+ 		group_desc[scan->current_group].bg_inode_table;
+ 	scan->inodes_left = EXT2_INODES_PER_GROUP(scan->fs->super);
+ 	scan->blocks_left = scan->fs->inode_blocks_per_group;
+-	retval = ext2fs_get_mem((size_t) (scan->inode_buffer_blocks * 
+-					  fs->blocksize),
++	retval = ext2fs_get_array(scan->inode_buffer_blocks,
++					  fs->blocksize,
+ 				&scan->inode_buffer);
+ 	scan->done_group = 0;
+ 	scan->done_group_data = 0;
+Index: e2fsprogs-1.40.2/lib/ext2fs/irel_ma.c
+===================================================================
+--- e2fsprogs-1.40.2.orig/lib/ext2fs/irel_ma.c
++++ e2fsprogs-1.40.2/lib/ext2fs/irel_ma.c
+@@ -90,21 +90,24 @@ errcode_t ext2fs_irel_memarray_create(ch
+ 	irel->priv_data = ma;
+ 	
+ 	size = (size_t) (sizeof(ext2_ino_t) * (max_inode+1));
+-	retval = ext2fs_get_mem(size, &ma->orig_map);
++	retval = ext2fs_get_array(max_inode+1, sizeof(ext2_ino_t),
++		&ma->orig_map);
+ 	if (retval)
+ 		goto errout;
+ 	memset(ma->orig_map, 0, size);
+ 
+ 	size = (size_t) (sizeof(struct ext2_inode_relocate_entry) *
+ 			 (max_inode+1));
+-	retval = ext2fs_get_mem(size, &ma->entries);
++	retval = ext2fs_get_array((max_inode+1,
++		sizeof(struct ext2_inode_relocate_entry), &ma->entries);
+ 	if (retval)
+ 		goto errout;
+ 	memset(ma->entries, 0, size);
+ 
+ 	size = (size_t) (sizeof(struct inode_reference_entry) *
+ 			 (max_inode+1));
+-	retval = ext2fs_get_mem(size, &ma->ref_entries);
++	retval = ext2fs_get_mem(max_inode+1,
++		sizeof(struct inode_reference_entry), &ma->ref_entries);
+ 	if (retval)
+ 		goto errout;
+ 	memset(ma->ref_entries, 0, size);
+@@ -249,7 +252,8 @@ static errcode_t ima_add_ref(ext2_irel i
+ 	if (ref_ent->refs == 0) {
+ 		size = (size_t) ((sizeof(struct ext2_inode_reference) * 
+ 				  ent->max_refs));
+-		retval = ext2fs_get_mem(size, &ref_ent->refs);
++		retval = ext2fs_get_array(ent->max_refs,
++			sizeof(struct ext2_inode_reference), &ref_ent->refs);
+ 		if (retval)
+ 			return retval;
+ 		memset(ref_ent->refs, 0, size);
+Index: e2fsprogs-1.40.2/lib/ext2fs/openfs.c
+===================================================================
+--- e2fsprogs-1.40.2.orig/lib/ext2fs/openfs.c
++++ e2fsprogs-1.40.2/lib/ext2fs/openfs.c
+@@ -276,7 +276,7 @@ errcode_t ext2fs_open2(const char *name,
+ 					       blocks_per_group);
+ 	fs->desc_blocks = ext2fs_div_ceil(fs->group_desc_count,
+ 					  EXT2_DESC_PER_BLOCK(fs->super));
+-	retval = ext2fs_get_mem(fs->desc_blocks * fs->blocksize,
++	retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize,
+ 				&fs->group_desc);
+ 	if (retval)
+ 		goto cleanup;
+Index: e2fsprogs-1.40.2/lib/ext2fs/res_gdt.c
+===================================================================
+--- e2fsprogs-1.40.2.orig/lib/ext2fs/res_gdt.c
++++ e2fsprogs-1.40.2/lib/ext2fs/res_gdt.c
+@@ -73,7 +73,7 @@ errcode_t ext2fs_create_resize_inode(ext
+ 
+ 	sb = fs->super;
+ 
+-	retval = ext2fs_get_mem(2 * fs->blocksize, &dindir_buf);
++	retval = ext2fs_get_array(2, fs->blocksize, &dindir_buf);
+ 	if (retval)
+ 		goto out_free;
+ 	gdt_buf = (__u32 *)((char *)dindir_buf + fs->blocksize);
diff --git a/e2fsprogs.spec b/e2fsprogs.spec
index ac481d3..5038acc 100644
--- a/e2fsprogs.spec
+++ b/e2fsprogs.spec
@@ -4,7 +4,7 @@
 Summary: Utilities for managing the second and third extended (ext2/ext3) filesystems
 Name: e2fsprogs
 Version: 1.40.2
-Release: 13%{?dist}
+Release: 14%{?dist}
 # License based on upstream-modified COPYING file,
 # which clearly states "V2" intent.
 License: GPLv2
@@ -24,6 +24,7 @@ Patch65: e2fsprogs-1.40.2-fix-open-create-modes.patch
 Patch66: e2fsprogs-1.40.2-protect-open-ops.patch
 Patch67: e2fsprogs-1.40.2-blkid-FAT-magic-not-on-strict-position.patch
 Patch68: e2fsprogs-1.40.2-blkid-squashfs.patch
+Patch69: e2fsprogs-1.40.2-integer-overflows.patch
 
 Url: http://e2fsprogs.sourceforge.net/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -107,6 +108,8 @@ also want to install e2fsprogs.
 %patch67 -p1 -b .blkid-fat
 # detect squashfs in libblkid (#305151)
 %patch68 -p1 -b .blkid-squashfs
+# prevent integer overflows (#414591 / CVE-2007-5497)
+%patch69 -p1 -b .overflows
 
 %build
 aclocal
@@ -268,6 +271,9 @@ exit 0
 %{_mandir}/man3/uuid_unparse.3*
 
 %changelog
+* Tue Dec 11 2007 Eric Sandeen <esandeen@redhat.com> 1.40.2-14
+- Fix integer overflows (#414591 / CVE-2007-5497)
+
 * Tue Dec  4 2007 Stepan Kasal <skasal@redhat.com> 1.40.2-13
 - The -devel package now requires device-mapper-devel, to match
   the dependency in blkid.pc (#410791)
author	Eric Sandeen <sandeen@fedoraproject.org>	2007-12-12 20:16:57 +0000
committer	Eric Sandeen <sandeen@fedoraproject.org>	2007-12-12 20:16:57 +0000
commit	e7a9631152f124d9f9f8e674ec466d428eb6c8ef (patch)
tree	14781a84f6f2c9b06e70493a05d95a0cd283e45b
parent	ecf110c62357836c58f665433c773edf7ba5fcb3 (diff)
download	e2fsprogs-e7a9631152f124d9f9f8e674ec466d428eb6c8ef.tar.gz e2fsprogs-e7a9631152f124d9f9f8e674ec466d428eb6c8ef.tar.xz e2fsprogs-e7a9631152f124d9f9f8e674ec466d428eb6c8ef.zip