|
 |
ec15cf |
commit f66e6ce4446738c2c7f43d41988a3eb73347e2f5
|
|
|
ec15cf |
Author: Theodore Ts'o <tytso@mit.edu>
|
|
|
ec15cf |
Date: Sat Aug 9 12:24:54 2014 -0400
|
|
|
ec15cf |
|
|
|
ec15cf |
libext2fs: avoid buffer overflow if s_first_meta_bg is too big
|
|
|
ec15cf |
|
|
|
ec15cf |
If s_first_meta_bg is greater than the of number block group
|
|
|
ec15cf |
descriptor blocks, then reading or writing the block group descriptors
|
|
|
ec15cf |
will end up overruning the memory buffer allocated for the
|
|
|
ec15cf |
descriptors. Fix this by limiting first_meta_bg to no more than
|
|
|
ec15cf |
fs->desc_blocks. This doesn't correct the bad s_first_meta_bg value,
|
|
|
ec15cf |
but it avoids causing the e2fsprogs userspace programs from
|
|
|
ec15cf |
potentially crashing.
|
|
|
ec15cf |
|
|
|
ec15cf |
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
ec15cf |
|
|
|
ec15cf |
Index: e2fsprogs-1.42.9/lib/ext2fs/closefs.c
|
|
|
ec15cf |
===================================================================
|
|
|
ec15cf |
--- e2fsprogs-1.42.9.orig/lib/ext2fs/closefs.c
|
|
|
ec15cf |
+++ e2fsprogs-1.42.9/lib/ext2fs/closefs.c
|
|
|
ec15cf |
@@ -336,9 +336,11 @@ errcode_t ext2fs_flush2(ext2_filsys fs,
|
|
|
ec15cf |
* superblocks and group descriptors.
|
|
|
ec15cf |
*/
|
|
|
ec15cf |
group_ptr = (char *) group_shadow;
|
|
|
ec15cf |
- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
|
|
|
ec15cf |
+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
|
|
|
ec15cf |
old_desc_blocks = fs->super->s_first_meta_bg;
|
|
|
ec15cf |
- else
|
|
|
ec15cf |
+ if (old_desc_blocks > fs->super->s_first_meta_bg)
|
|
|
ec15cf |
+ old_desc_blocks = fs->desc_blocks;
|
|
|
ec15cf |
+ } else
|
|
|
ec15cf |
old_desc_blocks = fs->desc_blocks;
|
|
|
ec15cf |
|
|
|
ec15cf |
ext2fs_numeric_progress_init(fs, &progress, NULL,
|
|
|
ec15cf |
Index: e2fsprogs-1.42.9/lib/ext2fs/openfs.c
|
|
|
ec15cf |
===================================================================
|
|
|
ec15cf |
--- e2fsprogs-1.42.9.orig/lib/ext2fs/openfs.c
|
|
|
ec15cf |
+++ e2fsprogs-1.42.9/lib/ext2fs/openfs.c
|
|
|
ec15cf |
@@ -348,9 +348,11 @@ errcode_t ext2fs_open2(const char *name,
|
|
|
ec15cf |
#ifdef WORDS_BIGENDIAN
|
|
|
ec15cf |
groups_per_block = EXT2_DESC_PER_BLOCK(fs->super);
|
|
|
ec15cf |
#endif
|
|
|
ec15cf |
- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
|
|
|
ec15cf |
+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
|
|
|
ec15cf |
first_meta_bg = fs->super->s_first_meta_bg;
|
|
|
ec15cf |
- else
|
|
|
ec15cf |
+ if (first_meta_bg > fs->desc_blocks)
|
|
|
ec15cf |
+ first_meta_bg = fs->desc_blocks;
|
|
|
ec15cf |
+ } else
|
|
|
ec15cf |
first_meta_bg = fs->desc_blocks;
|
|
|
ec15cf |
if (first_meta_bg) {
|
|
|
ec15cf |
retval = io_channel_read_blk(fs->io, group_block+1,
|