diff options
author | Leo <thinkabit.ukim@gmail.com> | 2019-10-12 01:42:13 -0300 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2019-10-17 16:16:57 +0200 |
commit | bac324e9e42da71fd74dd386daf7f84aae6907dc (patch) | |
tree | 952bfb6027a09399f2fd976007b6d6311007ff85 | |
parent | 54026be9f8fd1798d59e12999f3603e1d9a9774f (diff) | |
download | alpine_aports-bac324e9e42da71fd74dd386daf7f84aae6907dc.tar.bz2 alpine_aports-bac324e9e42da71fd74dd386daf7f84aae6907dc.tar.xz alpine_aports-bac324e9e42da71fd74dd386daf7f84aae6907dc.zip |
main/e2fsprogs: fix CVE-2019-5094
ref #10835
-rw-r--r-- | main/e2fsprogs/APKBUILD | 13 | ||||
-rw-r--r-- | main/e2fsprogs/CVE-2019-5094.patch | 190 |
2 files changed, 200 insertions, 3 deletions
diff --git a/main/e2fsprogs/APKBUILD b/main/e2fsprogs/APKBUILD index 99d5c80045..aed8fe99bd 100644 --- a/main/e2fsprogs/APKBUILD +++ b/main/e2fsprogs/APKBUILD | |||
@@ -2,7 +2,7 @@ | |||
2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
3 | pkgname=e2fsprogs | 3 | pkgname=e2fsprogs |
4 | pkgver=1.45.2 | 4 | pkgver=1.45.2 |
5 | pkgrel=0 | 5 | pkgrel=1 |
6 | pkgdesc="Standard Ext2/3/4 filesystem utilities" | 6 | pkgdesc="Standard Ext2/3/4 filesystem utilities" |
7 | url="http://e2fsprogs.sourceforge.net" | 7 | url="http://e2fsprogs.sourceforge.net" |
8 | arch="all" | 8 | arch="all" |
@@ -11,7 +11,13 @@ depends_dev="util-linux-dev" | |||
11 | makedepends="$depends_dev linux-headers" | 11 | makedepends="$depends_dev linux-headers" |
12 | checkdepends="diffutils perl" | 12 | checkdepends="diffutils perl" |
13 | subpackages="$pkgname-static $pkgname-dev $pkgname-doc libcom_err $pkgname-libs $pkgname-extra" | 13 | subpackages="$pkgname-static $pkgname-dev $pkgname-doc libcom_err $pkgname-libs $pkgname-extra" |
14 | source="https://www.kernel.org/pub/linux/kernel/people/tytso/$pkgname/v$pkgver/$pkgname-$pkgver.tar.xz" | 14 | source="https://www.kernel.org/pub/linux/kernel/people/tytso/$pkgname/v$pkgver/$pkgname-$pkgver.tar.xz |
15 | CVE-2019-5094.patch | ||
16 | " | ||
17 | |||
18 | # secfixes: | ||
19 | # 1.45.2-r1: | ||
20 | # - CVE-2019-5094 | ||
15 | 21 | ||
16 | build() { | 22 | build() { |
17 | cd "$builddir" | 23 | cd "$builddir" |
@@ -81,4 +87,5 @@ static() { | |||
81 | mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib | 87 | mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib |
82 | } | 88 | } |
83 | 89 | ||
84 | sha512sums="50fdb7769c789fb143b2e4bd56e6b55eac8f84be5b7074008134fa56d980342c2307e62380f9ba6a8ab9bbc6bbf45b349aad540c8f239cf859706fd33e521e5e e2fsprogs-1.45.2.tar.xz" | 90 | sha512sums="50fdb7769c789fb143b2e4bd56e6b55eac8f84be5b7074008134fa56d980342c2307e62380f9ba6a8ab9bbc6bbf45b349aad540c8f239cf859706fd33e521e5e e2fsprogs-1.45.2.tar.xz |
91 | 72e7d8199ea071802fbe74fbb2153253e5460412b115e03750ecac46d298aeb73bd8e7610a2d5b8be83b7125080c7e9e23d9b71baee1c7a4f68026344106a922 CVE-2019-5094.patch" | ||
diff --git a/main/e2fsprogs/CVE-2019-5094.patch b/main/e2fsprogs/CVE-2019-5094.patch new file mode 100644 index 0000000000..d350b3f294 --- /dev/null +++ b/main/e2fsprogs/CVE-2019-5094.patch | |||
@@ -0,0 +1,190 @@ | |||
1 | diff --git a/lib/support/mkquota.c b/lib/support/mkquota.c | ||
2 | index 0b9e766..ddb5312 100644 | ||
3 | --- a/lib/support/mkquota.c | ||
4 | +++ b/lib/support/mkquota.c | ||
5 | @@ -671,6 +671,7 @@ errcode_t quota_compare_and_update(quota_ctx_t qctx, enum quota_type qtype, | ||
6 | err = qh.qh_ops->scan_dquots(&qh, scan_dquots_callback, &scan_data); | ||
7 | if (err) { | ||
8 | log_debug("Error scanning dquots"); | ||
9 | + *usage_inconsistent = 1; | ||
10 | goto out_close_qh; | ||
11 | } | ||
12 | |||
13 | diff --git a/lib/support/quotaio_tree.c b/lib/support/quotaio_tree.c | ||
14 | index a7c2028..6cc4fb5 100644 | ||
15 | --- a/lib/support/quotaio_tree.c | ||
16 | +++ b/lib/support/quotaio_tree.c | ||
17 | @@ -540,6 +540,17 @@ struct dquot *qtree_read_dquot(struct quota_handle *h, qid_t id) | ||
18 | return dquot; | ||
19 | } | ||
20 | |||
21 | +static int check_reference(struct quota_handle *h, unsigned int blk) | ||
22 | +{ | ||
23 | + if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks) { | ||
24 | + log_err("Illegal reference (%u >= %u) in %s quota file", | ||
25 | + blk, h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks, | ||
26 | + quota_type2name(h->qh_type)); | ||
27 | + return -1; | ||
28 | + } | ||
29 | + return 0; | ||
30 | +} | ||
31 | + | ||
32 | /* | ||
33 | * Scan all dquots in file and call callback on each | ||
34 | */ | ||
35 | @@ -558,7 +569,7 @@ static int report_block(struct dquot *dquot, unsigned int blk, char *bitmap, | ||
36 | int entries, i; | ||
37 | |||
38 | if (!buf) | ||
39 | - return 0; | ||
40 | + return -1; | ||
41 | |||
42 | set_bit(bitmap, blk); | ||
43 | read_blk(dquot->dq_h, blk, buf); | ||
44 | @@ -580,23 +591,12 @@ static int report_block(struct dquot *dquot, unsigned int blk, char *bitmap, | ||
45 | return entries; | ||
46 | } | ||
47 | |||
48 | -static void check_reference(struct quota_handle *h, unsigned int blk) | ||
49 | -{ | ||
50 | - if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks) | ||
51 | - log_err("Illegal reference (%u >= %u) in %s quota file. " | ||
52 | - "Quota file is probably corrupted.\n" | ||
53 | - "Please run e2fsck (8) to fix it.", | ||
54 | - blk, | ||
55 | - h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks, | ||
56 | - quota_type2name(h->qh_type)); | ||
57 | -} | ||
58 | - | ||
59 | static int report_tree(struct dquot *dquot, unsigned int blk, int depth, | ||
60 | char *bitmap, | ||
61 | int (*process_dquot) (struct dquot *, void *), | ||
62 | void *data) | ||
63 | { | ||
64 | - int entries = 0, i; | ||
65 | + int entries = 0, ret, i; | ||
66 | dqbuf_t buf = getdqbuf(); | ||
67 | __le32 *ref = (__le32 *) buf; | ||
68 | |||
69 | @@ -607,22 +607,40 @@ static int report_tree(struct dquot *dquot, unsigned int blk, int depth, | ||
70 | if (depth == QT_TREEDEPTH - 1) { | ||
71 | for (i = 0; i < QT_BLKSIZE >> 2; i++) { | ||
72 | blk = ext2fs_le32_to_cpu(ref[i]); | ||
73 | - check_reference(dquot->dq_h, blk); | ||
74 | - if (blk && !get_bit(bitmap, blk)) | ||
75 | - entries += report_block(dquot, blk, bitmap, | ||
76 | - process_dquot, data); | ||
77 | + if (check_reference(dquot->dq_h, blk)) { | ||
78 | + entries = -1; | ||
79 | + goto errout; | ||
80 | + } | ||
81 | + if (blk && !get_bit(bitmap, blk)) { | ||
82 | + ret = report_block(dquot, blk, bitmap, | ||
83 | + process_dquot, data); | ||
84 | + if (ret < 0) { | ||
85 | + entries = ret; | ||
86 | + goto errout; | ||
87 | + } | ||
88 | + entries += ret; | ||
89 | + } | ||
90 | } | ||
91 | } else { | ||
92 | for (i = 0; i < QT_BLKSIZE >> 2; i++) { | ||
93 | blk = ext2fs_le32_to_cpu(ref[i]); | ||
94 | if (blk) { | ||
95 | - check_reference(dquot->dq_h, blk); | ||
96 | - entries += report_tree(dquot, blk, depth + 1, | ||
97 | - bitmap, process_dquot, | ||
98 | - data); | ||
99 | + if (check_reference(dquot->dq_h, blk)) { | ||
100 | + entries = -1; | ||
101 | + goto errout; | ||
102 | + } | ||
103 | + ret = report_tree(dquot, blk, depth + 1, | ||
104 | + bitmap, process_dquot, | ||
105 | + data); | ||
106 | + if (ret < 0) { | ||
107 | + entries = ret; | ||
108 | + goto errout; | ||
109 | + } | ||
110 | + entries += ret; | ||
111 | } | ||
112 | } | ||
113 | } | ||
114 | +errout: | ||
115 | freedqbuf(buf); | ||
116 | return entries; | ||
117 | } | ||
118 | @@ -642,6 +660,7 @@ int qtree_scan_dquots(struct quota_handle *h, | ||
119 | int (*process_dquot) (struct dquot *, void *), | ||
120 | void *data) | ||
121 | { | ||
122 | + int ret; | ||
123 | char *bitmap; | ||
124 | struct v2_mem_dqinfo *v2info = &h->qh_info.u.v2_mdqi; | ||
125 | struct qtree_mem_dqinfo *info = &v2info->dqi_qtree; | ||
126 | @@ -655,10 +674,14 @@ int qtree_scan_dquots(struct quota_handle *h, | ||
127 | ext2fs_free_mem(&dquot); | ||
128 | return -1; | ||
129 | } | ||
130 | - v2info->dqi_used_entries = report_tree(dquot, QT_TREEOFF, 0, bitmap, | ||
131 | - process_dquot, data); | ||
132 | + ret = report_tree(dquot, QT_TREEOFF, 0, bitmap, process_dquot, data); | ||
133 | + if (ret < 0) | ||
134 | + goto errout; | ||
135 | + v2info->dqi_used_entries = ret; | ||
136 | v2info->dqi_data_blocks = find_set_bits(bitmap, info->dqi_blocks); | ||
137 | + ret = 0; | ||
138 | +errout: | ||
139 | ext2fs_free_mem(&bitmap); | ||
140 | ext2fs_free_mem(&dquot); | ||
141 | - return 0; | ||
142 | + return ret; | ||
143 | } | ||
144 | diff --git a/lib/support/quotaio_v2.c b/lib/support/quotaio_v2.c | ||
145 | index 38be2a3..7390667 100644 | ||
146 | --- a/lib/support/quotaio_v2.c | ||
147 | +++ b/lib/support/quotaio_v2.c | ||
148 | @@ -175,6 +175,8 @@ static int v2_check_file(struct quota_handle *h, int type, int fmt) | ||
149 | static int v2_init_io(struct quota_handle *h) | ||
150 | { | ||
151 | struct v2_disk_dqinfo ddqinfo; | ||
152 | + struct v2_mem_dqinfo *info; | ||
153 | + __u64 filesize; | ||
154 | |||
155 | h->qh_info.u.v2_mdqi.dqi_qtree.dqi_entry_size = | ||
156 | sizeof(struct v2r1_disk_dqblk); | ||
157 | @@ -185,6 +187,32 @@ static int v2_init_io(struct quota_handle *h) | ||
158 | sizeof(ddqinfo)) != sizeof(ddqinfo)) | ||
159 | return -1; | ||
160 | v2_disk2memdqinfo(&h->qh_info, &ddqinfo); | ||
161 | + | ||
162 | + /* Check to make sure quota file info is sane */ | ||
163 | + info = &h->qh_info.u.v2_mdqi; | ||
164 | + if (ext2fs_file_get_lsize(h->qh_qf.e2_file, &filesize)) | ||
165 | + return -1; | ||
166 | + if ((filesize > (1U << 31)) || | ||
167 | + (info->dqi_qtree.dqi_blocks > | ||
168 | + (filesize + QT_BLKSIZE - 1) >> QT_BLKSIZE_BITS)) { | ||
169 | + log_err("Quota inode %u corrupted: file size %llu; " | ||
170 | + "dqi_blocks %u", h->qh_qf.ino, | ||
171 | + filesize, info->dqi_qtree.dqi_blocks); | ||
172 | + return -1; | ||
173 | + } | ||
174 | + if (info->dqi_qtree.dqi_free_blk >= info->dqi_qtree.dqi_blocks) { | ||
175 | + log_err("Quota inode %u corrupted: free_blk %u; dqi_blocks %u", | ||
176 | + h->qh_qf.ino, info->dqi_qtree.dqi_free_blk, | ||
177 | + info->dqi_qtree.dqi_blocks); | ||
178 | + return -1; | ||
179 | + } | ||
180 | + if (info->dqi_qtree.dqi_free_entry >= info->dqi_qtree.dqi_blocks) { | ||
181 | + log_err("Quota inode %u corrupted: free_entry %u; " | ||
182 | + "dqi_blocks %u", h->qh_qf.ino, | ||
183 | + info->dqi_qtree.dqi_free_entry, | ||
184 | + info->dqi_qtree.dqi_blocks); | ||
185 | + return -1; | ||
186 | + } | ||
187 | return 0; | ||
188 | } | ||
189 | |||
190 | |||