|
|
|
commit f66e6ce4446738c2c7f43d41988a3eb73347e2f5
|
|
|
|
Author: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
Date: Sat Aug 9 12:24:54 2014 -0400
|
|
|
|
|
|
|
|
libext2fs: avoid buffer overflow if s_first_meta_bg is too big
|
|
|
|
|
|
|
|
If s_first_meta_bg is greater than the of number block group
|
|
|
|
descriptor blocks, then reading or writing the block group descriptors
|
|
|
|
will end up overruning the memory buffer allocated for the
|
|
|
|
descriptors. Fix this by limiting first_meta_bg to no more than
|
|
|
|
fs->desc_blocks. This doesn't correct the bad s_first_meta_bg value,
|
|
|
|
but it avoids causing the e2fsprogs userspace programs from
|
|
|
|
potentially crashing.
|
|
|
|
|
|
|
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
|
|
|
|
Index: e2fsprogs-1.42.9/lib/ext2fs/closefs.c
|
|
|
|
===================================================================
|
|
|
|
--- e2fsprogs-1.42.9.orig/lib/ext2fs/closefs.c
|
|
|
|
+++ e2fsprogs-1.42.9/lib/ext2fs/closefs.c
|
|
|
|
@@ -336,9 +336,11 @@ errcode_t ext2fs_flush2(ext2_filsys fs,
|
|
|
|
* superblocks and group descriptors.
|
|
|
|
*/
|
|
|
|
group_ptr = (char *) group_shadow;
|
|
|
|
- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
|
|
|
|
+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
|
|
|
|
old_desc_blocks = fs->super->s_first_meta_bg;
|
|
|
|
- else
|
|
|
|
+ if (old_desc_blocks > fs->super->s_first_meta_bg)
|
|
|
|
+ old_desc_blocks = fs->desc_blocks;
|
|
|
|
+ } else
|
|
|
|
old_desc_blocks = fs->desc_blocks;
|
|
|
|
|
|
|
|
ext2fs_numeric_progress_init(fs, &progress, NULL,
|
|
|
|
Index: e2fsprogs-1.42.9/lib/ext2fs/openfs.c
|
|
|
|
===================================================================
|
|
|
|
--- e2fsprogs-1.42.9.orig/lib/ext2fs/openfs.c
|
|
|
|
+++ e2fsprogs-1.42.9/lib/ext2fs/openfs.c
|
|
|
|
@@ -348,9 +348,11 @@ errcode_t ext2fs_open2(const char *name,
|
|
|
|
#ifdef WORDS_BIGENDIAN
|
|
|
|
groups_per_block = EXT2_DESC_PER_BLOCK(fs->super);
|
|
|
|
#endif
|
|
|
|
- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
|
|
|
|
+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
|
|
|
|
first_meta_bg = fs->super->s_first_meta_bg;
|
|
|
|
- else
|
|
|
|
+ if (first_meta_bg > fs->desc_blocks)
|
|
|
|
+ first_meta_bg = fs->desc_blocks;
|
|
|
|
+ } else
|
|
|
|
first_meta_bg = fs->desc_blocks;
|
|
|
|
if (first_meta_bg) {
|
|
|
|
retval = io_channel_read_blk(fs->io, group_block+1,
|