main/e2fsprogs: fix CVE-2019-5094

ref #10835
author: Leo <thinkabit.ukim@gmail.com> 2019-10-12 01:42:13 -0300
committer: Natanael Copa <ncopa@alpinelinux.org> 2019-10-17 16:16:57 +0200
commit: bac324e9e42da71fd74dd386daf7f84aae6907dc (patch)
tree: 952bfb6027a09399f2fd976007b6d6311007ff85
parent: 54026be9f8fd1798d59e12999f3603e1d9a9774f (diff)
download: alpine_aports-bac324e9e42da71fd74dd386daf7f84aae6907dc.tar.bz2
alpine_aports-bac324e9e42da71fd74dd386daf7f84aae6907dc.tar.xz
alpine_aports-bac324e9e42da71fd74dd386daf7f84aae6907dc.zip
2 files changed, 200 insertions, 3 deletions
diff --git a/main/e2fsprogs/APKBUILD b/main/e2fsprogs/APKBUILD
index 99d5c80045..aed8fe99bd 100644
--- a/main/e2fsprogs/APKBUILD
+++ b/main/e2fsprogs/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=e2fsprogs
 pkgver=1.45.2
-pkgrel=0
+pkgrel=1
 pkgdesc="Standard Ext2/3/4 filesystem utilities"
 url="http://e2fsprogs.sourceforge.net"
 arch="all"
@@ -11,7 +11,13 @@ depends_dev="util-linux-dev"
 makedepends="$depends_dev linux-headers"
 checkdepends="diffutils perl"
 subpackages="$pkgname-static $pkgname-dev $pkgname-doc libcom_err $pkgname-libs $pkgname-extra"
-source="https://www.kernel.org/pub/linux/kernel/people/tytso/$pkgname/v$pkgver/$pkgname-$pkgver.tar.xz"
+source="https://www.kernel.org/pub/linux/kernel/people/tytso/$pkgname/v$pkgver/$pkgname-$pkgver.tar.xz
+        CVE-2019-5094.patch
+        "
+# secfixes:
+#   1.45.2-r1:
+#     - CVE-2019-5094
 build() {
        cd "$builddir"
@@ -81,4 +87,5 @@ static() {
        mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib
 }
-sha512sums="50fdb7769c789fb143b2e4bd56e6b55eac8f84be5b7074008134fa56d980342c2307e62380f9ba6a8ab9bbc6bbf45b349aad540c8f239cf859706fd33e521e5e  e2fsprogs-1.45.2.tar.xz"
+sha512sums="50fdb7769c789fb143b2e4bd56e6b55eac8f84be5b7074008134fa56d980342c2307e62380f9ba6a8ab9bbc6bbf45b349aad540c8f239cf859706fd33e521e5e  e2fsprogs-1.45.2.tar.xz
+72e7d8199ea071802fbe74fbb2153253e5460412b115e03750ecac46d298aeb73bd8e7610a2d5b8be83b7125080c7e9e23d9b71baee1c7a4f68026344106a922  CVE-2019-5094.patch"
diff --git a/main/e2fsprogs/CVE-2019-5094.patch b/main/e2fsprogs/CVE-2019-5094.patch
new file mode 100644
index 0000000000..d350b3f294
--- /dev/null
+++ b/main/e2fsprogs/CVE-2019-5094.patch
@@ -0,0 +1,190 @@
+diff --git a/lib/support/mkquota.c b/lib/support/mkquota.c
+index 0b9e766..ddb5312 100644
+--- a/lib/support/mkquota.c
+++ b/lib/support/mkquota.c
+@@ -671,6 +671,7 @@ errcode_t quota_compare_and_update(quota_ctx_t qctx, enum quota_type qtype,
+        err = qh.qh_ops->scan_dquots(&qh, scan_dquots_callback, &scan_data);
+        if (err) {
+                log_debug("Error scanning dquots");
+               *usage_inconsistent = 1;
+                goto out_close_qh;
+        }
+ 
+diff --git a/lib/support/quotaio_tree.c b/lib/support/quotaio_tree.c
+index a7c2028..6cc4fb5 100644
+--- a/lib/support/quotaio_tree.c
+++ b/lib/support/quotaio_tree.c
+@@ -540,6 +540,17 @@ struct dquot *qtree_read_dquot(struct quota_handle *h, qid_t id)
+        return dquot;
+ }
+ 
+static int check_reference(struct quota_handle *h, unsigned int blk)
+{
+       if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks) {
+               log_err("Illegal reference (%u >= %u) in %s quota file",
+                       blk, h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks,
+                       quota_type2name(h->qh_type));
+               return -1;
+       }
+       return 0;
+}
+
+ /*
+  * Scan all dquots in file and call callback on each
+  */
+@@ -558,7 +569,7 @@ static int report_block(struct dquot *dquot, unsigned int blk, char *bitmap,
+        int entries, i;
+ 
+        if (!buf)
+-               return 0;
+               return -1;
+ 
+        set_bit(bitmap, blk);
+        read_blk(dquot->dq_h, blk, buf);
+@@ -580,23 +591,12 @@ static int report_block(struct dquot *dquot, unsigned int blk, char *bitmap,
+        return entries;
+ }
+ 
+-static void check_reference(struct quota_handle *h, unsigned int blk)
+-{
+-       if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks)
+-               log_err("Illegal reference (%u >= %u) in %s quota file. "
+-                       "Quota file is probably corrupted.\n"
+-                       "Please run e2fsck (8) to fix it.",
+-                       blk,
+-                       h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks,
+-                       quota_type2name(h->qh_type));
+-}
+-
+ static int report_tree(struct dquot *dquot, unsigned int blk, int depth,
+                       char *bitmap,
+                       int (*process_dquot) (struct dquot *, void *),
+                       void *data)
+ {
+-       int entries = 0, i;
+       int entries = 0, ret, i;
+        dqbuf_t buf = getdqbuf();
+        __le32 *ref = (__le32 *) buf;
+ 
+@@ -607,22 +607,40 @@ static int report_tree(struct dquot *dquot, unsigned int blk, int depth,
+        if (depth == QT_TREEDEPTH - 1) {
+                for (i = 0; i < QT_BLKSIZE >> 2; i++) {
+                        blk = ext2fs_le32_to_cpu(ref[i]);
+-                       check_reference(dquot->dq_h, blk);
+-                       if (blk && !get_bit(bitmap, blk))
+-                               entries += report_block(dquot, blk, bitmap,
+-                                                       process_dquot, data);
+                       if (check_reference(dquot->dq_h, blk)) {
+                               entries = -1;
+                               goto errout;
+                       }
+                       if (blk && !get_bit(bitmap, blk)) {
+                               ret = report_block(dquot, blk, bitmap,
+                                                  process_dquot, data);
+                               if (ret < 0) {
+                                       entries = ret;
+                                       goto errout;
+                               }
+                               entries += ret;
+                       }
+                }
+        } else {
+                for (i = 0; i < QT_BLKSIZE >> 2; i++) {
+                        blk = ext2fs_le32_to_cpu(ref[i]);
+                        if (blk) {
+-                               check_reference(dquot->dq_h, blk);
+-                               entries += report_tree(dquot, blk, depth + 1,
+-                                                      bitmap, process_dquot,
+-                                                      data);
+                               if (check_reference(dquot->dq_h, blk)) {
+                                       entries = -1;
+                                       goto errout;
+                               }
+                               ret = report_tree(dquot, blk, depth + 1,
+                                                 bitmap, process_dquot,
+                                                 data);
+                               if (ret < 0) {
+                                       entries = ret;
+                                       goto errout;
+                               }
+                               entries += ret;
+                        }
+                }
+        }
+errout:
+        freedqbuf(buf);
+        return entries;
+ }
+@@ -642,6 +660,7 @@ int qtree_scan_dquots(struct quota_handle *h,
+                      int (*process_dquot) (struct dquot *, void *),
+                      void *data)
+ {
+       int ret;
+        char *bitmap;
+        struct v2_mem_dqinfo *v2info = &h->qh_info.u.v2_mdqi;
+        struct qtree_mem_dqinfo *info = &v2info->dqi_qtree;
+@@ -655,10 +674,14 @@ int qtree_scan_dquots(struct quota_handle *h,
+                ext2fs_free_mem(&dquot);
+                return -1;
+        }
+-       v2info->dqi_used_entries = report_tree(dquot, QT_TREEOFF, 0, bitmap,
+-                                              process_dquot, data);
+       ret = report_tree(dquot, QT_TREEOFF, 0, bitmap, process_dquot, data);
+       if (ret < 0)
+               goto errout;
+       v2info->dqi_used_entries = ret;
+        v2info->dqi_data_blocks = find_set_bits(bitmap, info->dqi_blocks);
+       ret = 0;
+errout:
+        ext2fs_free_mem(&bitmap);
+        ext2fs_free_mem(&dquot);
+-       return 0;
+       return ret;
+ }
+diff --git a/lib/support/quotaio_v2.c b/lib/support/quotaio_v2.c
+index 38be2a3..7390667 100644
+--- a/lib/support/quotaio_v2.c
+++ b/lib/support/quotaio_v2.c
+@@ -175,6 +175,8 @@ static int v2_check_file(struct quota_handle *h, int type, int fmt)
+ static int v2_init_io(struct quota_handle *h)
+ {
+        struct v2_disk_dqinfo ddqinfo;
+       struct v2_mem_dqinfo *info;
+       __u64 filesize;
+ 
+        h->qh_info.u.v2_mdqi.dqi_qtree.dqi_entry_size =
+                sizeof(struct v2r1_disk_dqblk);
+@@ -185,6 +187,32 @@ static int v2_init_io(struct quota_handle *h)
+                         sizeof(ddqinfo)) != sizeof(ddqinfo))
+                return -1;
+        v2_disk2memdqinfo(&h->qh_info, &ddqinfo);
+
+       /* Check to make sure quota file info is sane */
+       info = &h->qh_info.u.v2_mdqi;
+       if (ext2fs_file_get_lsize(h->qh_qf.e2_file, &filesize))
+               return -1;
+       if ((filesize > (1U << 31)) ||
+           (info->dqi_qtree.dqi_blocks >
+            (filesize + QT_BLKSIZE - 1) >> QT_BLKSIZE_BITS)) {
+               log_err("Quota inode %u corrupted: file size %llu; "
+                       "dqi_blocks %u", h->qh_qf.ino,
+                       filesize, info->dqi_qtree.dqi_blocks);
+               return -1;
+       }
+       if (info->dqi_qtree.dqi_free_blk >= info->dqi_qtree.dqi_blocks) {
+               log_err("Quota inode %u corrupted: free_blk %u; dqi_blocks %u",
+                       h->qh_qf.ino, info->dqi_qtree.dqi_free_blk,
+                       info->dqi_qtree.dqi_blocks);
+               return -1;
+       }
+       if (info->dqi_qtree.dqi_free_entry >= info->dqi_qtree.dqi_blocks) {
+               log_err("Quota inode %u corrupted: free_entry %u; "
+                       "dqi_blocks %u", h->qh_qf.ino,
+                       info->dqi_qtree.dqi_free_entry,
+                       info->dqi_qtree.dqi_blocks);
+               return -1;
+       }
+        return 0;
+ }
+
author	Leo <thinkabit.ukim@gmail.com>	2019-10-12 01:42:13 -0300
committer	Natanael Copa <ncopa@alpinelinux.org>	2019-10-17 16:16:57 +0200
commit	bac324e9e42da71fd74dd386daf7f84aae6907dc (patch)
tree	952bfb6027a09399f2fd976007b6d6311007ff85
parent	54026be9f8fd1798d59e12999f3603e1d9a9774f (diff)
download	alpine_aports-bac324e9e42da71fd74dd386daf7f84aae6907dc.tar.bz2 alpine_aports-bac324e9e42da71fd74dd386daf7f84aae6907dc.tar.xz alpine_aports-bac324e9e42da71fd74dd386daf7f84aae6907dc.zip

diff --git a/main/e2fsprogs/APKBUILD b/main/e2fsprogs/APKBUILD index 99d5c80045..aed8fe99bd 100644 --- a/main/e2fsprogs/APKBUILD +++ b/main/e2fsprogs/APKBUILD
@@ -2,7 +2,7 @@
2	# Maintainer: Natanael Copa <ncopa@alpinelinux.org>	2	# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
3	pkgname=e2fsprogs	3	pkgname=e2fsprogs
4	pkgver=1.45.2	4	pkgver=1.45.2
5	pkgrel=0	5	pkgrel=1
6	pkgdesc="Standard Ext2/3/4 filesystem utilities"	6	pkgdesc="Standard Ext2/3/4 filesystem utilities"
7	url="http://e2fsprogs.sourceforge.net"	7	url="http://e2fsprogs.sourceforge.net"
8	arch="all"	8	arch="all"
@@ -11,7 +11,13 @@ depends_dev="util-linux-dev"
11	makedepends="$depends_dev linux-headers"	11	makedepends="$depends_dev linux-headers"
12	checkdepends="diffutils perl"	12	checkdepends="diffutils perl"
13	subpackages="$pkgname-static $pkgname-dev $pkgname-doc libcom_err $pkgname-libs $pkgname-extra"	13	subpackages="$pkgname-static $pkgname-dev $pkgname-doc libcom_err $pkgname-libs $pkgname-extra"
14	source="https://www.kernel.org/pub/linux/kernel/people/tytso/$pkgname/v$pkgver/$pkgname-$pkgver.tar.xz"	14	source="https://www.kernel.org/pub/linux/kernel/people/tytso/$pkgname/v$pkgver/$pkgname-$pkgver.tar.xz
		15	CVE-2019-5094.patch
		16	"
		17
		18	# secfixes:
		19	# 1.45.2-r1:
		20	# - CVE-2019-5094
15		21
16	build() {	22	build() {
17	cd "$builddir"	23	cd "$builddir"
@@ -81,4 +87,5 @@ static() {
81	mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib	87	mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib
82	}	88	}
83		89
84	sha512sums="50fdb7769c789fb143b2e4bd56e6b55eac8f84be5b7074008134fa56d980342c2307e62380f9ba6a8ab9bbc6bbf45b349aad540c8f239cf859706fd33e521e5e e2fsprogs-1.45.2.tar.xz"	90	sha512sums="50fdb7769c789fb143b2e4bd56e6b55eac8f84be5b7074008134fa56d980342c2307e62380f9ba6a8ab9bbc6bbf45b349aad540c8f239cf859706fd33e521e5e e2fsprogs-1.45.2.tar.xz
		91	72e7d8199ea071802fbe74fbb2153253e5460412b115e03750ecac46d298aeb73bd8e7610a2d5b8be83b7125080c7e9e23d9b71baee1c7a4f68026344106a922 CVE-2019-5094.patch"


diff --git a/main/e2fsprogs/CVE-2019-5094.patch b/main/e2fsprogs/CVE-2019-5094.patch new file mode 100644 index 0000000000..d350b3f294 --- /dev/null +++ b/main/e2fsprogs/CVE-2019-5094.patch
@@ -0,0 +1,190 @@
		1	diff --git a/lib/support/mkquota.c b/lib/support/mkquota.c
		2	index 0b9e766..ddb5312 100644
		3	--- a/lib/support/mkquota.c
		4	+++ b/lib/support/mkquota.c
		5	@@ -671,6 +671,7 @@ errcode_t quota_compare_and_update(quota_ctx_t qctx, enum quota_type qtype,
		6	err = qh.qh_ops->scan_dquots(&qh, scan_dquots_callback, &scan_data);
		7	if (err) {
		8	log_debug("Error scanning dquots");
		9	+ *usage_inconsistent = 1;
		10	goto out_close_qh;
		11	}
		12
		13	diff --git a/lib/support/quotaio_tree.c b/lib/support/quotaio_tree.c
		14	index a7c2028..6cc4fb5 100644
		15	--- a/lib/support/quotaio_tree.c
		16	+++ b/lib/support/quotaio_tree.c
		17	@@ -540,6 +540,17 @@ struct dquot qtree_read_dquot(struct quota_handle h, qid_t id)
		18	return dquot;
		19	}
		20
		21	+static int check_reference(struct quota_handle *h, unsigned int blk)
		22	+{
		23	+ if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks) {
		24	+ log_err("Illegal reference (%u >= %u) in %s quota file",
		25	+ blk, h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks,
		26	+ quota_type2name(h->qh_type));
		27	+ return -1;
		28	+ }
		29	+ return 0;
		30	+}
		31	+
		32	/*
		33	* Scan all dquots in file and call callback on each
		34	*/
		35	@@ -558,7 +569,7 @@ static int report_block(struct dquot dquot, unsigned int blk, char bitmap,
		36	int entries, i;
		37
		38	if (!buf)
		39	- return 0;
		40	+ return -1;
		41
		42	set_bit(bitmap, blk);
		43	read_blk(dquot->dq_h, blk, buf);
		44	@@ -580,23 +591,12 @@ static int report_block(struct dquot dquot, unsigned int blk, char bitmap,
		45	return entries;
		46	}
		47
		48	-static void check_reference(struct quota_handle *h, unsigned int blk)
		49	-{
		50	- if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks)
		51	- log_err("Illegal reference (%u >= %u) in %s quota file. "
		52	- "Quota file is probably corrupted.\n"
		53	- "Please run e2fsck (8) to fix it.",
		54	- blk,
		55	- h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks,
		56	- quota_type2name(h->qh_type));
		57	-}
		58	-
		59	static int report_tree(struct dquot *dquot, unsigned int blk, int depth,
		60	char *bitmap,
		61	int (process_dquot) (struct dquot , void *),
		62	void *data)
		63	{
		64	- int entries = 0, i;
		65	+ int entries = 0, ret, i;
		66	dqbuf_t buf = getdqbuf();
		67	__le32 ref = (__le32 ) buf;
		68
		69	@@ -607,22 +607,40 @@ static int report_tree(struct dquot *dquot, unsigned int blk, int depth,
		70	if (depth == QT_TREEDEPTH - 1) {
		71	for (i = 0; i < QT_BLKSIZE >> 2; i++) {
		72	blk = ext2fs_le32_to_cpu(ref[i]);
		73	- check_reference(dquot->dq_h, blk);
		74	- if (blk && !get_bit(bitmap, blk))
		75	- entries += report_block(dquot, blk, bitmap,
		76	- process_dquot, data);
		77	+ if (check_reference(dquot->dq_h, blk)) {
		78	+ entries = -1;
		79	+ goto errout;
		80	+ }
		81	+ if (blk && !get_bit(bitmap, blk)) {
		82	+ ret = report_block(dquot, blk, bitmap,
		83	+ process_dquot, data);
		84	+ if (ret < 0) {
		85	+ entries = ret;
		86	+ goto errout;
		87	+ }
		88	+ entries += ret;
		89	+ }
		90	}
		91	} else {
		92	for (i = 0; i < QT_BLKSIZE >> 2; i++) {
		93	blk = ext2fs_le32_to_cpu(ref[i]);
		94	if (blk) {
		95	- check_reference(dquot->dq_h, blk);
		96	- entries += report_tree(dquot, blk, depth + 1,
		97	- bitmap, process_dquot,
		98	- data);
		99	+ if (check_reference(dquot->dq_h, blk)) {
		100	+ entries = -1;
		101	+ goto errout;
		102	+ }
		103	+ ret = report_tree(dquot, blk, depth + 1,
		104	+ bitmap, process_dquot,
		105	+ data);
		106	+ if (ret < 0) {
		107	+ entries = ret;
		108	+ goto errout;
		109	+ }
		110	+ entries += ret;
		111	}
		112	}
		113	}
		114	+errout:
		115	freedqbuf(buf);
		116	return entries;
		117	}
		118	@@ -642,6 +660,7 @@ int qtree_scan_dquots(struct quota_handle *h,
		119	int (process_dquot) (struct dquot , void *),
		120	void *data)
		121	{
		122	+ int ret;
		123	char *bitmap;
		124	struct v2_mem_dqinfo *v2info = &h->qh_info.u.v2_mdqi;
		125	struct qtree_mem_dqinfo *info = &v2info->dqi_qtree;
		126	@@ -655,10 +674,14 @@ int qtree_scan_dquots(struct quota_handle *h,
		127	ext2fs_free_mem(&dquot);
		128	return -1;
		129	}
		130	- v2info->dqi_used_entries = report_tree(dquot, QT_TREEOFF, 0, bitmap,
		131	- process_dquot, data);
		132	+ ret = report_tree(dquot, QT_TREEOFF, 0, bitmap, process_dquot, data);
		133	+ if (ret < 0)
		134	+ goto errout;
		135	+ v2info->dqi_used_entries = ret;
		136	v2info->dqi_data_blocks = find_set_bits(bitmap, info->dqi_blocks);
		137	+ ret = 0;
		138	+errout:
		139	ext2fs_free_mem(&bitmap);
		140	ext2fs_free_mem(&dquot);
		141	- return 0;
		142	+ return ret;
		143	}
		144	diff --git a/lib/support/quotaio_v2.c b/lib/support/quotaio_v2.c
		145	index 38be2a3..7390667 100644
		146	--- a/lib/support/quotaio_v2.c
		147	+++ b/lib/support/quotaio_v2.c
		148	@@ -175,6 +175,8 @@ static int v2_check_file(struct quota_handle *h, int type, int fmt)
		149	static int v2_init_io(struct quota_handle *h)
		150	{
		151	struct v2_disk_dqinfo ddqinfo;
		152	+ struct v2_mem_dqinfo *info;
		153	+ __u64 filesize;
		154
		155	h->qh_info.u.v2_mdqi.dqi_qtree.dqi_entry_size =
		156	sizeof(struct v2r1_disk_dqblk);
		157	@@ -185,6 +187,32 @@ static int v2_init_io(struct quota_handle *h)
		158	sizeof(ddqinfo)) != sizeof(ddqinfo))
		159	return -1;
		160	v2_disk2memdqinfo(&h->qh_info, &ddqinfo);
		161	+
		162	+ /* Check to make sure quota file info is sane */
		163	+ info = &h->qh_info.u.v2_mdqi;
		164	+ if (ext2fs_file_get_lsize(h->qh_qf.e2_file, &filesize))
		165	+ return -1;
		166	+ if ((filesize > (1U << 31)) \|\|
		167	+ (info->dqi_qtree.dqi_blocks >
		168	+ (filesize + QT_BLKSIZE - 1) >> QT_BLKSIZE_BITS)) {
		169	+ log_err("Quota inode %u corrupted: file size %llu; "
		170	+ "dqi_blocks %u", h->qh_qf.ino,
		171	+ filesize, info->dqi_qtree.dqi_blocks);
		172	+ return -1;
		173	+ }
		174	+ if (info->dqi_qtree.dqi_free_blk >= info->dqi_qtree.dqi_blocks) {
		175	+ log_err("Quota inode %u corrupted: free_blk %u; dqi_blocks %u",
		176	+ h->qh_qf.ino, info->dqi_qtree.dqi_free_blk,
		177	+ info->dqi_qtree.dqi_blocks);
		178	+ return -1;
		179	+ }
		180	+ if (info->dqi_qtree.dqi_free_entry >= info->dqi_qtree.dqi_blocks) {
		181	+ log_err("Quota inode %u corrupted: free_entry %u; "
		182	+ "dqi_blocks %u", h->qh_qf.ino,
		183	+ info->dqi_qtree.dqi_free_entry,
		184	+ info->dqi_qtree.dqi_blocks);
		185	+ return -1;
		186	+ }
		187	return 0;
		188	}
		189
		190