From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 20 Jun 2022 08:22:04 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o3AnS-007oBY-PZ for lore@lore.pengutronix.de; Mon, 20 Jun 2022 08:22:04 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1o3AnT-0007RP-2O; Mon, 20 Jun 2022 08:22:03 +0200 Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1o3AlE-0004T9-Ep; Mon, 20 Jun 2022 08:19:44 +0200 Received: from [2a0a:edc0:0:1101:1d::39] (helo=dude03.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2) (envelope-from ) id 1o3AlC-001agR-BJ; Mon, 20 Jun 2022 08:19:43 +0200 Received: from mol by dude03.red.stw.pengutronix.de with local (Exim 4.94.2) (envelope-from ) id 1o3AlD-006GAN-37; Mon, 20 Jun 2022 08:19:43 +0200 From: Michael Olbrich To: ptxdist@pengutronix.de Date: Mon, 20 Jun 2022 08:19:43 +0200 Message-Id: <20220620061943.1492068-1-m.olbrich@pengutronix.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220616132741.1053903-1-christian.melki@t2data.com> References: <20220616132741.1053903-1-christian.melki@t2data.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: Re: [ptxdist] [APPLIED] e2fsprogs: Fix CVE-2022-1304. X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Christian Melki Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false Thanks, applied as a3e07da1670101669dbe876fd8ef094decc9803c. Michael [sent from post-receive hook] On Mon, 20 Jun 2022 08:19:42 +0200, Christian Melki wrote: > Out-of-bounds read/write vulnerability. > Issue leads to segmentation fault and possibly arbitrary code > execution via a specially crafted filesystem. > > Signed-off-by: Christian Melki > Message-Id: <20220616132741.1053903-1-christian.melki@t2data.com> > Signed-off-by: Michael Olbrich > > diff --git a/patches/e2fsprogs-1.46.5/0001-libext2fs-add-sanity-check-to-extent-manipulation.patch b/patches/e2fsprogs-1.46.5/0001-libext2fs-add-sanity-check-to-extent-manipulation.patch > new file mode 100644 > index 000000000000..979dbb23608c > --- /dev/null > +++ b/patches/e2fsprogs-1.46.5/0001-libext2fs-add-sanity-check-to-extent-manipulation.patch > @@ -0,0 +1,51 @@ > +From: Lukas Czerner > +Date: Thu, 21 Apr 2022 19:31:48 +0200 > +Subject: [PATCH] libext2fs: add sanity check to extent manipulation > + > +It is possible to have a corrupted extent tree in such a way that a leaf > +node contains zero extents in it. Currently if that happens and we try > +to traverse the tree we can end up accessing wrong data, or possibly > +even uninitialized memory. Make sure we don't do that. > + > +Additionally make sure that we have a sane number of bytes passed to > +memmove() in ext2fs_extent_delete(). > + > +Note that e2fsck is currently unable to spot and fix such corruption in > +pass1. > + > +Signed-off-by: Lukas Czerner > +Reported-by: Nils Bars > +Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2068113 > +Addresses: CVE-2022-1304 > +Addresses-Debian-Bug: #1010263 > +Signed-off-by: Theodore Ts'o > +--- > + lib/ext2fs/extent.c | 8 ++++++++ > + 1 file changed, 8 insertions(+) > + > +diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c > +index b324c7b0f8c8..1a206a16c13f 100644 > +--- a/lib/ext2fs/extent.c > ++++ b/lib/ext2fs/extent.c > +@@ -495,6 +495,10 @@ retry: > + ext2fs_le16_to_cpu(eh->eh_entries); > + newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max); > + > ++ /* Make sure there is at least one extent present */ > ++ if (newpath->left <= 0) > ++ return EXT2_ET_EXTENT_NO_DOWN; > ++ > + if (path->left > 0) { > + ix++; > + newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block); > +@@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags) > + > + cp = path->curr; > + > ++ /* Sanity check before memmove() */ > ++ if (path->left < 0) > ++ return EXT2_ET_EXTENT_LEAF_BAD; > ++ > + if (path->left) { > + memmove(cp, cp + sizeof(struct ext3_extent_idx), > + path->left * sizeof(struct ext3_extent_idx)); > diff --git a/patches/e2fsprogs-1.46.5/series b/patches/e2fsprogs-1.46.5/series > new file mode 100644 > index 000000000000..d4319d8ac6eb > --- /dev/null > +++ b/patches/e2fsprogs-1.46.5/series > @@ -0,0 +1,4 @@ > +# generated by git-ptx-patches > +#tag:base --start-number 1 > +0001-libext2fs-add-sanity-check-to-extent-manipulation.patch > +# 77d6a61d2930f9f66b3b54043619c609 - git-ptx-patches magic