base/SOURCES/e2fsprogs-1.42.9-libext2fs-...

commit f66e6ce4446738c2c7f43d41988a3eb73347e2f5
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Sat Aug 9 12:24:54 2014 -0400

    libext2fs: avoid buffer overflow if s_first_meta_bg is too big

    If s_first_meta_bg is greater than the of number block group
    descriptor blocks, then reading or writing the block group descriptors
    will end up overruning the memory buffer allocated for the
    descriptors.  Fix this by limiting first_meta_bg to no more than
    fs->desc_blocks.  This doesn't correct the bad s_first_meta_bg value,
    but it avoids causing the e2fsprogs userspace programs from
    potentially crashing.

    Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Index: e2fsprogs-1.42.9/lib/ext2fs/closefs.c
===================================================================
--- e2fsprogs-1.42.9.orig/lib/ext2fs/closefs.c
+++ e2fsprogs-1.42.9/lib/ext2fs/closefs.c
@@ -336,9 +336,11 @@ errcode_t ext2fs_flush2(ext2_filsys fs,
	 * superblocks and group descriptors.
	 */
	group_ptr = (char *) group_shadow;
-	if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
+	if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
		old_desc_blocks = fs->super->s_first_meta_bg;
-	else
+		if (old_desc_blocks > fs->super->s_first_meta_bg)
+			old_desc_blocks = fs->desc_blocks;
+	} else
		old_desc_blocks = fs->desc_blocks;

	ext2fs_numeric_progress_init(fs, &progress, NULL,
Index: e2fsprogs-1.42.9/lib/ext2fs/openfs.c
===================================================================
--- e2fsprogs-1.42.9.orig/lib/ext2fs/openfs.c
+++ e2fsprogs-1.42.9/lib/ext2fs/openfs.c
@@ -348,9 +348,11 @@ errcode_t ext2fs_open2(const char *name,
 #ifdef WORDS_BIGENDIAN
	groups_per_block = EXT2_DESC_PER_BLOCK(fs->super);
 #endif
-	if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
+	if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
		first_meta_bg = fs->super->s_first_meta_bg;
-	else
+		if (first_meta_bg > fs->desc_blocks)
+			first_meta_bg = fs->desc_blocks;
+	} else
		first_meta_bg = fs->desc_blocks;
	if (first_meta_bg) {
		retval = io_channel_read_blk(fs->io, group_block+1,
e2fsprogs package update Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org> 6 years ago			`commit f66e6ce4446738c2c7f43d41988a3eb73347e2f5`
			`Author: Theodore Ts'o <tytso@mit.edu>`
			`Date: Sat Aug 9 12:24:54 2014 -0400`

			`libext2fs: avoid buffer overflow if s_first_meta_bg is too big`

			`If s_first_meta_bg is greater than the of number block group`
			`descriptor blocks, then reading or writing the block group descriptors`
			`will end up overruning the memory buffer allocated for the`
			`descriptors. Fix this by limiting first_meta_bg to no more than`
			`fs->desc_blocks. This doesn't correct the bad s_first_meta_bg value,`
			`but it avoids causing the e2fsprogs userspace programs from`
			`potentially crashing.`

			`Signed-off-by: Theodore Ts'o <tytso@mit.edu>`

			`Index: e2fsprogs-1.42.9/lib/ext2fs/closefs.c`
			`===================================================================`
			`--- e2fsprogs-1.42.9.orig/lib/ext2fs/closefs.c`
			`+++ e2fsprogs-1.42.9/lib/ext2fs/closefs.c`
			`@@ -336,9 +336,11 @@ errcode_t ext2fs_flush2(ext2_filsys fs,`
			`* superblocks and group descriptors.`
			`*/`
			`group_ptr = (char *) group_shadow;`
			`- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)`
			`+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {`
			`old_desc_blocks = fs->super->s_first_meta_bg;`
			`- else`
			`+ if (old_desc_blocks > fs->super->s_first_meta_bg)`
			`+ old_desc_blocks = fs->desc_blocks;`
			`+ } else`
			`old_desc_blocks = fs->desc_blocks;`

			`ext2fs_numeric_progress_init(fs, &progress, NULL,`
			`Index: e2fsprogs-1.42.9/lib/ext2fs/openfs.c`
			`===================================================================`
			`--- e2fsprogs-1.42.9.orig/lib/ext2fs/openfs.c`
			`+++ e2fsprogs-1.42.9/lib/ext2fs/openfs.c`
			`@@ -348,9 +348,11 @@ errcode_t ext2fs_open2(const char *name,`
			`#ifdef WORDS_BIGENDIAN`
			`groups_per_block = EXT2_DESC_PER_BLOCK(fs->super);`
			`#endif`
			`- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)`
			`+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {`
			`first_meta_bg = fs->super->s_first_meta_bg;`
			`- else`
			`+ if (first_meta_bg > fs->desc_blocks)`
			`+ first_meta_bg = fs->desc_blocks;`
			`+ } else`
			`first_meta_bg = fs->desc_blocks;`
			`if (first_meta_bg) {`
			`retval = io_channel_read_blk(fs->io, group_block+1,`