From 43eb93441fa33822cb1871a758cad892baeb8cce Mon Sep 17 00:00:00 2001 From: Josef Schlehofer Date: Wed, 1 Jan 2020 17:22:01 +0100 Subject: [PATCH] e2fsprogs: update to version 1.45.4 Removed backported patch Release notes: http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.45.4 Signed-off-by: Josef Schlehofer --- package/utils/e2fsprogs/Makefile | 6 +- .../100-CVE-2019-5094-libsupport.patch | 203 ------------------ 2 files changed, 3 insertions(+), 206 deletions(-) delete mode 100644 package/utils/e2fsprogs/patches/100-CVE-2019-5094-libsupport.patch diff --git a/package/utils/e2fsprogs/Makefile b/package/utils/e2fsprogs/Makefile index b2b6ea31ea..3ba77abc7a 100644 --- a/package/utils/e2fsprogs/Makefile +++ b/package/utils/e2fsprogs/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=e2fsprogs -PKG_VERSION:=1.44.5 -PKG_RELEASE:=2 +PKG_VERSION:=1.45.4 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=@KERNEL/linux/kernel/people/tytso/e2fsprogs/v$(PKG_VERSION)/ -PKG_HASH:=ba5eb3069d69160d96818bb9700de9ab5a8458d9add1fd85d427c0000d34c5b9 +PKG_HASH:=65faf6b590ca1da97440d6446bd11de9e0914b42553740ba5d9d2a796fa0dc02 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=NOTICE diff --git a/package/utils/e2fsprogs/patches/100-CVE-2019-5094-libsupport.patch b/package/utils/e2fsprogs/patches/100-CVE-2019-5094-libsupport.patch deleted file mode 100644 index c69f465052..0000000000 --- a/package/utils/e2fsprogs/patches/100-CVE-2019-5094-libsupport.patch +++ /dev/null @@ -1,203 +0,0 @@ -From 09fe1fd2a1f9efc3091b4fc61f1876d0785956a8 Mon Sep 17 00:00:00 2001 -From: Theodore Ts'o -Date: Sun, 1 Sep 2019 00:59:16 -0400 -Subject: libsupport: add checks to prevent buffer overrun bugs in quota code - -A maliciously corrupted file systems can trigger buffer overruns in -the quota code used by e2fsck. To fix this, add sanity checks to the -quota header fields as well as to block number references in the quota -tree. - -Addresses: CVE-2019-5094 -Addresses: TALOS-2019-0887 -Signed-off-by: Theodore Ts'o -(cherry picked from commit 8dbe7b475ec5e91ed767239f0e85880f416fc384) ---- - lib/support/mkquota.c | 1 + - lib/support/quotaio_tree.c | 71 ++++++++++++++++++++++++++++++---------------- - lib/support/quotaio_v2.c | 28 ++++++++++++++++++ - 3 files changed, 76 insertions(+), 24 deletions(-) - ---- a/lib/support/mkquota.c -+++ b/lib/support/mkquota.c -@@ -671,6 +671,7 @@ errcode_t quota_compare_and_update(quota - err = qh.qh_ops->scan_dquots(&qh, scan_dquots_callback, &scan_data); - if (err) { - log_debug("Error scanning dquots"); -+ *usage_inconsistent = 1; - goto out_close_qh; - } - ---- a/lib/support/quotaio_tree.c -+++ b/lib/support/quotaio_tree.c -@@ -540,6 +540,17 @@ struct dquot *qtree_read_dquot(struct qu - return dquot; - } - -+static int check_reference(struct quota_handle *h, unsigned int blk) -+{ -+ if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks) { -+ log_err("Illegal reference (%u >= %u) in %s quota file", -+ blk, h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks, -+ quota_type2name(h->qh_type)); -+ return -1; -+ } -+ return 0; -+} -+ - /* - * Scan all dquots in file and call callback on each - */ -@@ -558,7 +569,7 @@ static int report_block(struct dquot *dq - int entries, i; - - if (!buf) -- return 0; -+ return -1; - - set_bit(bitmap, blk); - read_blk(dquot->dq_h, blk, buf); -@@ -580,23 +591,12 @@ static int report_block(struct dquot *dq - return entries; - } - --static void check_reference(struct quota_handle *h, unsigned int blk) --{ -- if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks) -- log_err("Illegal reference (%u >= %u) in %s quota file. " -- "Quota file is probably corrupted.\n" -- "Please run e2fsck (8) to fix it.", -- blk, -- h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks, -- quota_type2name(h->qh_type)); --} -- - static int report_tree(struct dquot *dquot, unsigned int blk, int depth, - char *bitmap, - int (*process_dquot) (struct dquot *, void *), - void *data) - { -- int entries = 0, i; -+ int entries = 0, ret, i; - dqbuf_t buf = getdqbuf(); - __le32 *ref = (__le32 *) buf; - -@@ -607,22 +607,40 @@ static int report_tree(struct dquot *dqu - if (depth == QT_TREEDEPTH - 1) { - for (i = 0; i < QT_BLKSIZE >> 2; i++) { - blk = ext2fs_le32_to_cpu(ref[i]); -- check_reference(dquot->dq_h, blk); -- if (blk && !get_bit(bitmap, blk)) -- entries += report_block(dquot, blk, bitmap, -- process_dquot, data); -+ if (check_reference(dquot->dq_h, blk)) { -+ entries = -1; -+ goto errout; -+ } -+ if (blk && !get_bit(bitmap, blk)) { -+ ret = report_block(dquot, blk, bitmap, -+ process_dquot, data); -+ if (ret < 0) { -+ entries = ret; -+ goto errout; -+ } -+ entries += ret; -+ } - } - } else { - for (i = 0; i < QT_BLKSIZE >> 2; i++) { - blk = ext2fs_le32_to_cpu(ref[i]); - if (blk) { -- check_reference(dquot->dq_h, blk); -- entries += report_tree(dquot, blk, depth + 1, -- bitmap, process_dquot, -- data); -+ if (check_reference(dquot->dq_h, blk)) { -+ entries = -1; -+ goto errout; -+ } -+ ret = report_tree(dquot, blk, depth + 1, -+ bitmap, process_dquot, -+ data); -+ if (ret < 0) { -+ entries = ret; -+ goto errout; -+ } -+ entries += ret; - } - } - } -+errout: - freedqbuf(buf); - return entries; - } -@@ -642,6 +660,7 @@ int qtree_scan_dquots(struct quota_handl - int (*process_dquot) (struct dquot *, void *), - void *data) - { -+ int ret; - char *bitmap; - struct v2_mem_dqinfo *v2info = &h->qh_info.u.v2_mdqi; - struct qtree_mem_dqinfo *info = &v2info->dqi_qtree; -@@ -655,10 +674,14 @@ int qtree_scan_dquots(struct quota_handl - ext2fs_free_mem(&dquot); - return -1; - } -- v2info->dqi_used_entries = report_tree(dquot, QT_TREEOFF, 0, bitmap, -- process_dquot, data); -+ ret = report_tree(dquot, QT_TREEOFF, 0, bitmap, process_dquot, data); -+ if (ret < 0) -+ goto errout; -+ v2info->dqi_used_entries = ret; - v2info->dqi_data_blocks = find_set_bits(bitmap, info->dqi_blocks); -+ ret = 0; -+errout: - ext2fs_free_mem(&bitmap); - ext2fs_free_mem(&dquot); -- return 0; -+ return ret; - } ---- a/lib/support/quotaio_v2.c -+++ b/lib/support/quotaio_v2.c -@@ -175,6 +175,8 @@ static int v2_check_file(struct quota_ha - static int v2_init_io(struct quota_handle *h) - { - struct v2_disk_dqinfo ddqinfo; -+ struct v2_mem_dqinfo *info; -+ __u64 filesize; - - h->qh_info.u.v2_mdqi.dqi_qtree.dqi_entry_size = - sizeof(struct v2r1_disk_dqblk); -@@ -185,6 +187,32 @@ static int v2_init_io(struct quota_handl - sizeof(ddqinfo)) != sizeof(ddqinfo)) - return -1; - v2_disk2memdqinfo(&h->qh_info, &ddqinfo); -+ -+ /* Check to make sure quota file info is sane */ -+ info = &h->qh_info.u.v2_mdqi; -+ if (ext2fs_file_get_lsize(h->qh_qf.e2_file, &filesize)) -+ return -1; -+ if ((filesize > (1U << 31)) || -+ (info->dqi_qtree.dqi_blocks > -+ (filesize + QT_BLKSIZE - 1) >> QT_BLKSIZE_BITS)) { -+ log_err("Quota inode %u corrupted: file size %llu; " -+ "dqi_blocks %u", h->qh_qf.ino, -+ filesize, info->dqi_qtree.dqi_blocks); -+ return -1; -+ } -+ if (info->dqi_qtree.dqi_free_blk >= info->dqi_qtree.dqi_blocks) { -+ log_err("Quota inode %u corrupted: free_blk %u; dqi_blocks %u", -+ h->qh_qf.ino, info->dqi_qtree.dqi_free_blk, -+ info->dqi_qtree.dqi_blocks); -+ return -1; -+ } -+ if (info->dqi_qtree.dqi_free_entry >= info->dqi_qtree.dqi_blocks) { -+ log_err("Quota inode %u corrupted: free_entry %u; " -+ "dqi_blocks %u", h->qh_qf.ino, -+ info->dqi_qtree.dqi_free_entry, -+ info->dqi_qtree.dqi_blocks); -+ return -1; -+ } - return 0; - } - -- 2.30.2