From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Thu, 16 Jun 2022 15:28:36 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o1pY2-003wFN-Tw for lore@lore.pengutronix.de; Thu, 16 Jun 2022 15:28:36 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1o1pY3-0003su-LI; Thu, 16 Jun 2022 15:28:35 +0200 Received: from mail-eopbgr10058.outbound.protection.outlook.com ([40.107.1.58] helo=EUR02-HE1-obe.outbound.protection.outlook.com) by metis.ext.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1o1pXZ-0003sk-6W for ptxdist@pengutronix.de; Thu, 16 Jun 2022 15:28:05 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=a+3wnf/YnRSrBWAhx9BXSfk8JpLikf6qejETZjDEfeuabD5mIArbGTqmV4DwK3TZ50zkAbnf7Mzv7Kn8Fw1oxEQyB1Jevzy4xDAZRkEQWCZQaDzQERh0aTHOkq6jQHJefDGkmxigNvBWOg9higbmMUGEy9ReBJQumypnvjVOsoOgc+a8/mIV8ZQG45dky35eTUyJD+3/RMeymEe8NuO0tKobxsyeHm75ZIG2Y6jZ9bHzhlxjaM/d9X88eGOvIRCWpIUWxTwwfebflTp/26AqrU8f6j6xC+j+Wgm0ei1YMOpphZ6/zlDOfHQCsXlrVpgqNOcD2Lj69oGjS3UXzNizbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FXZGL8QpSBzmjlMNeDu0fQ7oBJ1CuF/LozffoKFSrIU=; b=KZVMmNV8ZzJScCGP8X4FMql+DcW8zai4Rhb6QBlkdDP2Q6+nH/zLhtI+Y2x1NgcYfuFVdOqZedn8z2jYs2g2SuJ66K7GgOzjtr/bEqZgaHHLbMivOQOkvj6aBwdlSBear+MAPV+PU6b8OynPtZedEpmE0ulg32pDi6Xxo3q0DaiQGWs+zYiW2rpWtLgLsYE4biQPzJZOAZgmcS0ncpy2cpcIqBLKTTYqCFUukOmLt1eq49p6kAxqWBTY3bCL7gzjpzZE7hSCvw3cbazGnoovv4EFZFCXdhuKQp70vV26keMH1CECGGGazd9mQtd79RqQIlnG73yP2DAHg45wnloFuA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=t2data.com; dmarc=pass action=none header.from=t2data.com; dkim=pass header.d=t2data.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=t2datacom.onmicrosoft.com; s=selector1-t2datacom-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FXZGL8QpSBzmjlMNeDu0fQ7oBJ1CuF/LozffoKFSrIU=; b=LSw/lloJvhzzGgIUvGnHO+c8rI31ViLU81UoK5kvCdmqZboAdMzSDniI66SAgj5YdP08dizQzLtiP4soFRvmhTff6vTFYJXYjggahSLyBkN5tLsY6MB3IfaVWqfOZ+vcc7aaCGRATr/4s0AaZ2U7SsFYns8xO3YWiu+lVSRxe6E= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=t2data.com; Received: from DB9P251MB0618.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:334::22) by PAXP251MB0271.EURP251.PROD.OUTLOOK.COM (2603:10a6:102:1de::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5353.15; Thu, 16 Jun 2022 13:28:02 +0000 Received: from DB9P251MB0618.EURP251.PROD.OUTLOOK.COM ([fe80::1d7f:19a9:18f9:57af]) by DB9P251MB0618.EURP251.PROD.OUTLOOK.COM ([fe80::1d7f:19a9:18f9:57af%9]) with mapi id 15.20.5353.015; Thu, 16 Jun 2022 13:28:02 +0000 From: Christian Melki To: ptxdist@pengutronix.de Date: Thu, 16 Jun 2022 15:27:41 +0200 Message-Id: <20220616132741.1053903-1-christian.melki@t2data.com> X-Mailer: git-send-email 2.34.1 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: GV3P280CA0030.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:b::35) To DB9P251MB0618.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:334::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a5b686b8-3de2-41e3-5baa-08da4f9c0989 X-MS-TrafficTypeDiagnostic: PAXP251MB0271:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: fi5SraeuKBJ/yLvDzyXgp5rKbV/Cfc/Cl9fe/MCf++Qn9tzMgHAPZInXWAQhaQDxwEgo9Xdh8aE0mun4zJ6yurymnycD3UeuvBVYnJtyeVFAxXxl6Lso+XsULexTYkjuNo/COtJT0744JgHQpT2Ak0CG7b/0k1Eyx3IyDJE7TikKY33J+zszSyvn6rkVELgO/V+LN8JSUr6H3D9UTYsMUXanVGOTPFiV6Z2vVi5UpaAzWaiDvuuCo9OTSyeEgxUYdFpXv1CEGkEQnZOsz0pnsJc2MCVRBKyofTNB+/BuD3nnpgULn2uUjgfh+FxIcSQTTtokfhOyhUC7BCbXXB3ApdYzHME5eGmyQNDh7pORB1qLjMWxPhwti83SjjFog5V48PEWywggw8HPAGASlTQ/E8nSmcwi3VFBr/okhz8xh+X9RjiUqPePimKecdFjhfm6qukpI1lj4aZy1wyVuPjPrmVbXBP+oEV8GWI/x6XPPXtRJSwATJkBFjswAWR6LGVmAzZ6YDJD38yjxqRtTx+XtmQtAvYWLO6bfhSf0lZibyxrDzxAgNJwdcNGD+tmMkcWH2nkYC/PO0p537KoJrOAJlWuaRtHDtz+CWJA4mozTKLgKjqqTjo2WEvWNyn3j4Ex0fLvyfVg5b95I3MOpET+PZc8n04Hkt5qSBqmStp+o4aLPIjJr0w3cJTrZYahITPh57k95YDRMyduE/xxZhSeHbLtELMyeIjdJXyISwPipruedVq5toYXOkTraC3ksj+MjHFVmQjOmwGx5jhGdLq+2A== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9P251MB0618.EURP251.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(396003)(346002)(366004)(136003)(39830400003)(8936002)(26005)(2616005)(508600001)(5660300002)(38350700002)(6512007)(1076003)(6916009)(52116002)(36756003)(38100700002)(316002)(66556008)(66476007)(8676002)(66946007)(41300700001)(6666004)(83380400001)(186003)(2906002)(86362001)(966005)(6486002)(6506007)(44832011); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?bpndZhLnP4su3XB5Vprql+826A6dP+eJynMNCrX7/3+j4dD6oy0GNGa5PO1q?= =?us-ascii?Q?9pYGWufvyHFSKFyXP9bjc1qpvoLwiXG6xWxkvUgt0mnhzLJBvHHeJEk4hf5K?= =?us-ascii?Q?HPP1p5SYEJb19dFKTfQ6DLaPkLIgLTKokCalRZZj4oBxbo48wtvnYy+XgGs4?= =?us-ascii?Q?+k6L2KI3n6/oiCG6m/jOHf/rnv6oUmd082/JQbRDVskgF3wtULqSoO7hL2Lc?= =?us-ascii?Q?eOKCsaHCCb+b+8ryp3APWbmGviLuZPStNq6dkvu8bfmE/l/nVllGZWTeowzL?= =?us-ascii?Q?tN4cCLIiwrqfUCOV6DRD61RXNScy4cnlLotoGEug/bp1YD2AfwBipIryBeRW?= =?us-ascii?Q?79GCXQJy1BZZQNFY93U+/5YODmesJyliCk+LnaGyIJowYPaBb/Jf76NhqRVx?= =?us-ascii?Q?GbQH+vCoYFhhiYVRI2KtGg7e3EiGe2k3C2jBbGY0yV7/gWCxinlEKLm8eG4b?= =?us-ascii?Q?xKgapuQvQuKsipFSEWBvq9WD80GCYjQMrKKsHnJX5Pg+OoXQhmTRDN/OsTL/?= =?us-ascii?Q?6MC1m1nqWq7kEnrQQfBm/lBLZyDqRxumLXQEB5PQUfQo37dc4nytGxrCAE74?= =?us-ascii?Q?nb9LN/udDLEwuoUJqcyYlg9IncFCIruzNlmpWYFtj62oPqh5wfBA+Dti7AOY?= =?us-ascii?Q?PEdvdp1YFgdPqe3gAhq9/FkECFrpfm4sJtKusyMNYY0TvUiWGOEFt0PhuUgv?= =?us-ascii?Q?t8BphiLwKPUjohd0AoSTbLdrb2QnZHjkDa5TaFvQXjSBRSmglJwgsFWw/Acp?= =?us-ascii?Q?RXPoo8u8NdN7UWK7/PQC/DzXXJQw8DWuzMahXPEE3XqCy+TKXy8oFD1yVw5/?= =?us-ascii?Q?yq1XD4qzuZ45mOvXdEdEJooKjehabJSGuEFvhrh+hv9O+pRaM8Xiv5+Nbj/2?= =?us-ascii?Q?YOb3YRC4FOJ59Gv6TdLEgwJiq/QUrTykhOfBJ/9GkWhPNz6js4aeH3qWDaiO?= =?us-ascii?Q?G1440+dAEdhPcHJKrZYviwrgCefL0G3Lwe/9LfUb1UkVTx79+t0OKvpMrE70?= =?us-ascii?Q?99FZbvNzzkKFuFzev9PVbdTT80uRdZz0IkFQ7M4Jljxt5WROM/LrciqCTmMC?= =?us-ascii?Q?LhksgAQsSOHLsd2LNZfesLeyZzhVBYxUPALvdydyGxdDX/oVK9zHfkQhqZlr?= =?us-ascii?Q?Z+z1Xm1Ns6/ZJP/2ArGWC7Fe+NG2x0Hj6j25z42JSWORDySpQ5GrEt3AXSHU?= =?us-ascii?Q?isVlrSy7ieXQdLjwzuPcQ2jaNdbNq7QqW08WQ6ggsnHYgQm6mtVoZ4cfnyqx?= =?us-ascii?Q?necL7II5VbKbqkVrgegkfBeDkXdaNUyD45ljvhAM3vu0JICnUrZf+EDco9Xz?= =?us-ascii?Q?bCHoz3MTX5ggrJ0W4OzlFyOrQJIMxpklc3gaIzDFWIAjYvrSpeWZiMk7YGzk?= =?us-ascii?Q?m9hbVQFNwwutX38fH+66z/pYDKyv04VKzXBu57BFVvrX4ojUOJpN9L7NL/oh?= =?us-ascii?Q?h8rsi7aLSMMbxaIv8sDMwDQII/jcbG1hhj7DPrw5TiI5vuPkZtRy8sAl8s+K?= =?us-ascii?Q?DC3WlyVpPpA/wUOfHG0hbSMhCcep1Y2ifSoue5mWWuNE6/jD3tcnc8AQe4Wc?= =?us-ascii?Q?O+S9AQVWEghRuKXYIHbAXQAlWolaToW4gt6ZuedDCxu3W/RliuEut/MRPQJM?= =?us-ascii?Q?38OZFrnatlXBCfVIKbVzlKuYgWWhWoGZASU9Bac5bbjvtv4kEO1ZV8xClIE5?= =?us-ascii?Q?fdQGWnAD07GlUXw4wM6DeIGqGDjUCAVux5UHyzW17BymihN1w8n6nvDZ6hvV?= =?us-ascii?Q?YEOIsHG2cUa8FXmPos4qm/s8aWnRzI8=3D?= X-OriginatorOrg: t2data.com X-MS-Exchange-CrossTenant-Network-Message-Id: a5b686b8-3de2-41e3-5baa-08da4f9c0989 X-MS-Exchange-CrossTenant-AuthSource: DB9P251MB0618.EURP251.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jun 2022 13:28:02.0929 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 27928da5-aacd-4ba1-9566-c748a6863e6c X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 6ZpHLh1HfhAlRNJXKG1DdjexLUMkLozO/wu9UJmYlesdv1zjZxyqJZAZHsWpFuxLXcmkoD1pRKz9DWKjqQNBbUlGIKQ3TKiTxh+WHLfr/d0= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXP251MB0271 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.ext.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Subject: [ptxdist] [PATCH] e2fsprogs: Fix CVE-2022-1304. X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false Out-of-bounds read/write vulnerability. Issue leads to segmentation fault and possibly arbitrary code execution via a specially crafted filesystem. Signed-off-by: Christian Melki --- ...-sanity-check-to-extent-manipulation.patch | 51 +++++++++++++++++++ patches/e2fsprogs-1.46.5/series | 4 ++ 2 files changed, 55 insertions(+) create mode 100644 patches/e2fsprogs-1.46.5/0001-libext2fs-add-sanity-check-to-extent-manipulation.patch create mode 100644 patches/e2fsprogs-1.46.5/series diff --git a/patches/e2fsprogs-1.46.5/0001-libext2fs-add-sanity-check-to-extent-manipulation.patch b/patches/e2fsprogs-1.46.5/0001-libext2fs-add-sanity-check-to-extent-manipulation.patch new file mode 100644 index 000000000..979dbb236 --- /dev/null +++ b/patches/e2fsprogs-1.46.5/0001-libext2fs-add-sanity-check-to-extent-manipulation.patch @@ -0,0 +1,51 @@ +From: Lukas Czerner +Date: Thu, 21 Apr 2022 19:31:48 +0200 +Subject: [PATCH] libext2fs: add sanity check to extent manipulation + +It is possible to have a corrupted extent tree in such a way that a leaf +node contains zero extents in it. Currently if that happens and we try +to traverse the tree we can end up accessing wrong data, or possibly +even uninitialized memory. Make sure we don't do that. + +Additionally make sure that we have a sane number of bytes passed to +memmove() in ext2fs_extent_delete(). + +Note that e2fsck is currently unable to spot and fix such corruption in +pass1. + +Signed-off-by: Lukas Czerner +Reported-by: Nils Bars +Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2068113 +Addresses: CVE-2022-1304 +Addresses-Debian-Bug: #1010263 +Signed-off-by: Theodore Ts'o +--- + lib/ext2fs/extent.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c +index b324c7b0f8c8..1a206a16c13f 100644 +--- a/lib/ext2fs/extent.c ++++ b/lib/ext2fs/extent.c +@@ -495,6 +495,10 @@ retry: + ext2fs_le16_to_cpu(eh->eh_entries); + newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max); + ++ /* Make sure there is at least one extent present */ ++ if (newpath->left <= 0) ++ return EXT2_ET_EXTENT_NO_DOWN; ++ + if (path->left > 0) { + ix++; + newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block); +@@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags) + + cp = path->curr; + ++ /* Sanity check before memmove() */ ++ if (path->left < 0) ++ return EXT2_ET_EXTENT_LEAF_BAD; ++ + if (path->left) { + memmove(cp, cp + sizeof(struct ext3_extent_idx), + path->left * sizeof(struct ext3_extent_idx)); diff --git a/patches/e2fsprogs-1.46.5/series b/patches/e2fsprogs-1.46.5/series new file mode 100644 index 000000000..d4319d8ac --- /dev/null +++ b/patches/e2fsprogs-1.46.5/series @@ -0,0 +1,4 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +0001-libext2fs-add-sanity-check-to-extent-manipulation.patch +# 77d6a61d2930f9f66b3b54043619c609 - git-ptx-patches magic -- 2.34.1