Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 137932 Details for
Bug 201546
sys-fs/e2fsprogs < 1.40.3 Multiple buffer overflows (CVE-2007-5497)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
0001-libext2fs-Add-checks-to-prevent-integer-overflows-p.patch
0001-libext2fs-Add-checks-to-prevent-integer-overflows-p.patch (text/plain), 11.68 KB, created by
Robert Buchholz (RETIRED)
on 2007-12-07 00:33:25 UTC
(
hide
)
Description:
0001-libext2fs-Add-checks-to-prevent-integer-overflows-p.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2007-12-07 00:33:25 UTC
Size:
11.68 KB
patch
obsolete
>From ee01079a17bfecd17292ccd60058056fb3a8ba6c Mon Sep 17 00:00:00 2001 >From: Theodore Ts'o <tytso@mit.edu> >Date: Fri, 9 Nov 2007 19:01:06 -0500 >Subject: [PATCH] libext2fs: Add checks to prevent integer overflows passed to malloc() > >This addresses a potential security vulnerability where an untrusted >filesystem can be corrupted in such a way that a program using >libext2fs will allocate a buffer which is far too small. This can >lead to either a crash or potentially a heap-based buffer overflow >crash. No known exploits exist, but main concern is where an >untrusted user who possesses privileged access in a guest Xen >environment could corrupt a filesystem which is then accessed by the >pygrub program, running as root in the dom0 host environment, thus >allowing the untrusted user to gain privileged access in the host OS. > >Thanks to the McAfee AVERT Research group for reporting this issue. > >Addresses CVE-2007-5497. > >Signed-off-by: Rafal Wojtczuk <rafal_wojtczuk@mcafee.com> >Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> >--- > lib/ext2fs/badblocks.c | 2 +- > lib/ext2fs/bb_inode.c | 2 +- > lib/ext2fs/block.c | 2 +- > lib/ext2fs/bmap.c | 2 +- > lib/ext2fs/bmove.c | 2 +- > lib/ext2fs/brel_ma.c | 3 ++- > lib/ext2fs/closefs.c | 3 +-- > lib/ext2fs/dblist.c | 3 ++- > lib/ext2fs/dupfs.c | 2 +- > lib/ext2fs/ext2fs.h | 7 +++++++ > lib/ext2fs/fileio.c | 2 +- > lib/ext2fs/icount.c | 3 ++- > lib/ext2fs/initialize.c | 2 +- > lib/ext2fs/inode.c | 10 +++++----- > lib/ext2fs/irel_ma.c | 12 ++++++++---- > lib/ext2fs/openfs.c | 2 +- > lib/ext2fs/res_gdt.c | 2 +- > 17 files changed, 37 insertions(+), 24 deletions(-) > >diff --git a/lib/ext2fs/badblocks.c b/lib/ext2fs/badblocks.c >index 50e6336..da7889d 100644 >--- a/lib/ext2fs/badblocks.c >+++ b/lib/ext2fs/badblocks.c >@@ -42,7 +42,7 @@ static errcode_t make_u32_list(int size, int num, __u32 *list, > bb->magic = EXT2_ET_MAGIC_BADBLOCKS_LIST; > bb->size = size ? size : 10; > bb->num = num; >- retval = ext2fs_get_mem(bb->size * sizeof(blk_t), &bb->list); >+ retval = ext2fs_get_array(bb->size, sizeof(blk_t), &bb->list); > if (retval) { > ext2fs_free_mem(&bb); > return retval; >diff --git a/lib/ext2fs/bb_inode.c b/lib/ext2fs/bb_inode.c >index 97a5608..1f5b4e8 100644 >--- a/lib/ext2fs/bb_inode.c >+++ b/lib/ext2fs/bb_inode.c >@@ -68,7 +68,7 @@ errcode_t ext2fs_update_bb_inode(ext2_filsys fs, ext2_badblocks_list bb_list) > rec.bad_block_count = 0; > rec.ind_blocks_size = rec.ind_blocks_ptr = 0; > rec.max_ind_blocks = 10; >- retval = ext2fs_get_mem(rec.max_ind_blocks * sizeof(blk_t), >+ retval = ext2fs_get_array(rec.max_ind_blocks, sizeof(blk_t), > &rec.ind_blocks); > if (retval) > return retval; >diff --git a/lib/ext2fs/block.c b/lib/ext2fs/block.c >index 7685680..07a6415 100644 >--- a/lib/ext2fs/block.c >+++ b/lib/ext2fs/block.c >@@ -313,7 +313,7 @@ errcode_t ext2fs_block_iterate2(ext2_filsys fs, > if (block_buf) { > ctx.ind_buf = block_buf; > } else { >- retval = ext2fs_get_mem(fs->blocksize * 3, &ctx.ind_buf); >+ retval = ext2fs_get_array(3, fs->blocksize, &ctx.ind_buf); > if (retval) > return retval; > } >diff --git a/lib/ext2fs/bmap.c b/lib/ext2fs/bmap.c >index e840044..754fc49 100644 >--- a/lib/ext2fs/bmap.c >+++ b/lib/ext2fs/bmap.c >@@ -158,7 +158,7 @@ errcode_t ext2fs_bmap(ext2_filsys fs, ext2_ino_t ino, struct ext2_inode *inode, > addr_per_block = (blk_t) fs->blocksize >> 2; > > if (!block_buf) { >- retval = ext2fs_get_mem(fs->blocksize * 2, &buf); >+ retval = ext2fs_get_array(2, fs->blocksize, &buf); > if (retval) > return retval; > block_buf = buf; >diff --git a/lib/ext2fs/bmove.c b/lib/ext2fs/bmove.c >index 9946c46..7d4b21a 100644 >--- a/lib/ext2fs/bmove.c >+++ b/lib/ext2fs/bmove.c >@@ -108,7 +108,7 @@ errcode_t ext2fs_move_blocks(ext2_filsys fs, > pb.alloc_map = alloc_map ? alloc_map : fs->block_map; > pb.flags = flags; > >- retval = ext2fs_get_mem(fs->blocksize * 4, &block_buf); >+ retval = ext2fs_get_array(4, fs->blocksize, &block_buf); > if (retval) > return retval; > pb.buf = block_buf + fs->blocksize * 3; >diff --git a/lib/ext2fs/brel_ma.c b/lib/ext2fs/brel_ma.c >index d422bb2..3753e9f 100644 >--- a/lib/ext2fs/brel_ma.c >+++ b/lib/ext2fs/brel_ma.c >@@ -75,7 +75,8 @@ errcode_t ext2fs_brel_memarray_create(char *name, blk_t max_block, > > size = (size_t) (sizeof(struct ext2_block_relocate_entry) * > (max_block+1)); >- retval = ext2fs_get_mem(size, &ma->entries); >+ retval = ext2fs_get_array(max_block+1, >+ sizeof(struct ext2_block_relocate_entry), &ma->entries); > if (retval) > goto errout; > memset(ma->entries, 0, size); >diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c >index 474e00e..f3fe533 100644 >--- a/lib/ext2fs/closefs.c >+++ b/lib/ext2fs/closefs.c >@@ -226,8 +226,7 @@ errcode_t ext2fs_flush(ext2_filsys fs) > retval = ext2fs_get_mem(SUPERBLOCK_SIZE, &super_shadow); > if (retval) > goto errout; >- retval = ext2fs_get_mem((size_t)(fs->blocksize * >- fs->desc_blocks), >+ retval = ext2fs_get_array(fs->blocksize, fs->desc_blocks, > &group_shadow); > if (retval) > goto errout; >diff --git a/lib/ext2fs/dblist.c b/lib/ext2fs/dblist.c >index d5833d7..21b36aa 100644 >--- a/lib/ext2fs/dblist.c >+++ b/lib/ext2fs/dblist.c >@@ -85,7 +85,8 @@ static errcode_t make_dblist(ext2_filsys fs, ext2_ino_t size, ext2_ino_t count, > } > len = (size_t) sizeof(struct ext2_db_entry) * dblist->size; > dblist->count = count; >- retval = ext2fs_get_mem(len, &dblist->list); >+ retval = ext2fs_get_array(dblist->size, sizeof(struct ext2_db_entry), >+ &dblist->list); > if (retval) > goto cleanup; > >diff --git a/lib/ext2fs/dupfs.c b/lib/ext2fs/dupfs.c >index f8919c2..1cf314c 100644 >--- a/lib/ext2fs/dupfs.c >+++ b/lib/ext2fs/dupfs.c >@@ -59,7 +59,7 @@ errcode_t ext2fs_dup_handle(ext2_filsys src, ext2_filsys *dest) > goto errout; > memcpy(fs->orig_super, src->orig_super, SUPERBLOCK_SIZE); > >- retval = ext2fs_get_mem((size_t) fs->desc_blocks * fs->blocksize, >+ retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize, > &fs->group_desc); > if (retval) > goto errout; >diff --git a/lib/ext2fs/ext2fs.h b/lib/ext2fs/ext2fs.h >index 7645210..06ba9a2 100644 >--- a/lib/ext2fs/ext2fs.h >+++ b/lib/ext2fs/ext2fs.h >@@ -965,6 +965,7 @@ extern errcode_t ext2fs_write_bb_FILE(ext2_badblocks_list bb_list, > > /* inline functions */ > extern errcode_t ext2fs_get_mem(unsigned long size, void *ptr); >+extern errcode_t ext2fs_get_array(unsigned long count, unsigned long size, void *ptr); > extern errcode_t ext2fs_free_mem(void *ptr); > extern errcode_t ext2fs_resize_mem(unsigned long old_size, > unsigned long size, void *ptr); >@@ -1018,6 +1019,12 @@ _INLINE_ errcode_t ext2fs_get_mem(unsigned long size, void *ptr) > memcpy(ptr, &pp, sizeof (pp)); > return 0; > } >+_INLINE_ errcode_t ext2fs_get_array(unsigned long count, unsigned long size, void *ptr) >+{ >+ if (count && (-1UL)/count<size) >+ return EXT2_ET_NO_MEMORY; //maybe define EXT2_ET_OVERFLOW ? >+ return ext2fs_get_mem(count*size, ptr); >+} > > /* > * Free memory >diff --git a/lib/ext2fs/fileio.c b/lib/ext2fs/fileio.c >index 3e42cbc..8bf99fb 100644 >--- a/lib/ext2fs/fileio.c >+++ b/lib/ext2fs/fileio.c >@@ -65,7 +65,7 @@ errcode_t ext2fs_file_open2(ext2_filsys fs, ext2_ino_t ino, > goto fail; > } > >- retval = ext2fs_get_mem(fs->blocksize * 3, &file->buf); >+ retval = ext2fs_get_array(3, fs->blocksize, &file->buf); > if (retval) > goto fail; > >diff --git a/lib/ext2fs/icount.c b/lib/ext2fs/icount.c >index de0b614..2905676 100644 >--- a/lib/ext2fs/icount.c >+++ b/lib/ext2fs/icount.c >@@ -237,7 +237,8 @@ errcode_t ext2fs_create_icount2(ext2_filsys fs, int flags, unsigned int size, > printf("Icount allocated %u entries, %d bytes.\n", > icount->size, bytes); > #endif >- retval = ext2fs_get_mem(bytes, &icount->list); >+ retval = ext2fs_get_array(icount->size, sizeof(struct ext2_icount_el), >+ &icount->list); > if (retval) > goto errout; > memset(icount->list, 0, bytes); >diff --git a/lib/ext2fs/initialize.c b/lib/ext2fs/initialize.c >index 16e9eaa..c8f48b9 100644 >--- a/lib/ext2fs/initialize.c >+++ b/lib/ext2fs/initialize.c >@@ -351,7 +351,7 @@ ipg_retry: > > ext2fs_free_mem(&buf); > >- retval = ext2fs_get_mem((size_t) fs->desc_blocks * fs->blocksize, >+ retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize, > &fs->group_desc); > if (retval) > goto cleanup; >diff --git a/lib/ext2fs/inode.c b/lib/ext2fs/inode.c >index 49d012c..7a0cf4e 100644 >--- a/lib/ext2fs/inode.c >+++ b/lib/ext2fs/inode.c >@@ -90,9 +90,9 @@ static errcode_t create_icache(ext2_filsys fs) > fs->icache->cache_last = -1; > fs->icache->cache_size = 4; > fs->icache->refcount = 1; >- retval = ext2fs_get_mem(sizeof(struct ext2_inode_cache_ent) >- * fs->icache->cache_size, >- &fs->icache->cache); >+ retval = ext2fs_get_array(fs->icache->cache_size, >+ sizeof(struct ext2_inode_cache_ent), >+ &fs->icache->cache); > if (retval) { > ext2fs_free_mem(&fs->icache->buffer); > ext2fs_free_mem(&fs->icache); >@@ -146,8 +146,8 @@ errcode_t ext2fs_open_inode_scan(ext2_filsys fs, int buffer_blocks, > group_desc[scan->current_group].bg_inode_table; > scan->inodes_left = EXT2_INODES_PER_GROUP(scan->fs->super); > scan->blocks_left = scan->fs->inode_blocks_per_group; >- retval = ext2fs_get_mem((size_t) (scan->inode_buffer_blocks * >- fs->blocksize), >+ retval = ext2fs_get_array(scan->inode_buffer_blocks, >+ fs->blocksize, > &scan->inode_buffer); > scan->done_group = 0; > scan->done_group_data = 0; >diff --git a/lib/ext2fs/irel_ma.c b/lib/ext2fs/irel_ma.c >index eedbe55..c6fa828 100644 >--- a/lib/ext2fs/irel_ma.c >+++ b/lib/ext2fs/irel_ma.c >@@ -90,21 +90,24 @@ errcode_t ext2fs_irel_memarray_create(char *name, ext2_ino_t max_inode, > irel->priv_data = ma; > > size = (size_t) (sizeof(ext2_ino_t) * (max_inode+1)); >- retval = ext2fs_get_mem(size, &ma->orig_map); >+ retval = ext2fs_get_array(max_inode+1, sizeof(ext2_ino_t), >+ &ma->orig_map); > if (retval) > goto errout; > memset(ma->orig_map, 0, size); > > size = (size_t) (sizeof(struct ext2_inode_relocate_entry) * > (max_inode+1)); >- retval = ext2fs_get_mem(size, &ma->entries); >+ retval = ext2fs_get_array((max_inode+1, >+ sizeof(struct ext2_inode_relocate_entry), &ma->entries); > if (retval) > goto errout; > memset(ma->entries, 0, size); > > size = (size_t) (sizeof(struct inode_reference_entry) * > (max_inode+1)); >- retval = ext2fs_get_mem(size, &ma->ref_entries); >+ retval = ext2fs_get_mem(max_inode+1, >+ sizeof(struct inode_reference_entry), &ma->ref_entries); > if (retval) > goto errout; > memset(ma->ref_entries, 0, size); >@@ -249,7 +252,8 @@ static errcode_t ima_add_ref(ext2_irel irel, ext2_ino_t ino, > if (ref_ent->refs == 0) { > size = (size_t) ((sizeof(struct ext2_inode_reference) * > ent->max_refs)); >- retval = ext2fs_get_mem(size, &ref_ent->refs); >+ retval = ext2fs_get_array(ent->max_refs, >+ sizeof(struct ext2_inode_reference), &ref_ent->refs); > if (retval) > return retval; > memset(ref_ent->refs, 0, size); >diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c >index 1ac1564..947675e 100644 >--- a/lib/ext2fs/openfs.c >+++ b/lib/ext2fs/openfs.c >@@ -280,7 +280,7 @@ errcode_t ext2fs_open2(const char *name, const char *io_options, > blocks_per_group); > fs->desc_blocks = ext2fs_div_ceil(fs->group_desc_count, > EXT2_DESC_PER_BLOCK(fs->super)); >- retval = ext2fs_get_mem(fs->desc_blocks * fs->blocksize, >+ retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize, > &fs->group_desc); > if (retval) > goto cleanup; >diff --git a/lib/ext2fs/res_gdt.c b/lib/ext2fs/res_gdt.c >index 9901c6e..fa72fc9 100644 >--- a/lib/ext2fs/res_gdt.c >+++ b/lib/ext2fs/res_gdt.c >@@ -73,7 +73,7 @@ errcode_t ext2fs_create_resize_inode(ext2_filsys fs) > > sb = fs->super; > >- retval = ext2fs_get_mem(2 * fs->blocksize, &dindir_buf); >+ retval = ext2fs_get_array(2, fs->blocksize, &dindir_buf); > if (retval) > goto out_free; > gdt_buf = (__u32 *)((char *)dindir_buf + fs->blocksize); >-- >1.5.3.7.995.gc8d22-dirty >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 201546
: 137932