From f66e6ce4446738c2c7f43d41988a3eb73347e2f5 Mon Sep 17 00:00:00 2001 From: Theodore Ts'o Date: Sat, 9 Aug 2014 12:24:54 -0400 Subject: libext2fs: avoid buffer overflow if s_first_meta_bg is too big If s_first_meta_bg is greater than the of number block group descriptor blocks, then reading or writing the block group descriptors will end up overruning the memory buffer allocated for the descriptors. Fix this by limiting first_meta_bg to no more than fs->desc_blocks. This doesn't correct the bad s_first_meta_bg value, but it avoids causing the e2fsprogs userspace programs from potentially crashing. Upstream-Status: Backport CVE: CVE-2015-0247 Signed-off-by: Theodore Ts'o Signed-off-by: Sona Sarmadi diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c index 4599eef..1f99113 100644 --- a/lib/ext2fs/closefs.c +++ b/lib/ext2fs/closefs.c @@ -344,9 +344,11 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags) * superblocks and group descriptors. */ group_ptr = (char *) group_shadow; - if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) + if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) { old_desc_blocks = fs->super->s_first_meta_bg; - else + if (old_desc_blocks > fs->super->s_first_meta_bg) + old_desc_blocks = fs->desc_blocks; + } else old_desc_blocks = fs->desc_blocks; ext2fs_numeric_progress_init(fs, &progress, NULL, diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c index a1a3517..ba501e6 100644 --- a/lib/ext2fs/openfs.c +++ b/lib/ext2fs/openfs.c @@ -378,9 +378,11 @@ errcode_t ext2fs_open2(const char *name, const char *io_options, #ifdef WORDS_BIGENDIAN groups_per_block = EXT2_DESC_PER_BLOCK(fs->super); #endif - if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) + if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) { first_meta_bg = fs->super->s_first_meta_bg; - else + if (first_meta_bg > fs->desc_blocks) + first_meta_bg = fs->desc_blocks; + } else first_meta_bg = fs->desc_blocks; if (first_meta_bg) { retval = io_channel_read_blk(fs->io, group_block + -- cgit v0.10.2