From patchwork Sun Feb 15 00:51:37 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Theodore Ts'o X-Patchwork-Id: 439811 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id D238B14027F for ; Sun, 15 Feb 2015 11:52:12 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754382AbbBOAwJ (ORCPT ); Sat, 14 Feb 2015 19:52:09 -0500 Received: from imap.thunk.org ([74.207.234.97]:47092 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754366AbbBOAwI (ORCPT ); Sat, 14 Feb 2015 19:52:08 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=Message-Id:Date:Subject:Cc:To:From; bh=a0ro0+yAWxIXEXCMVlnraPLG1isYW4YdJDyQNCVRiy4=; b=nry3tD+ARsC+tyDJLrcT+H/1JRgBe0JjePabK+SXrbY1ApywQ6E/WNO9eYARUcLo22yoOoF9SsaU28KFa/dNfBUTRprUz/F9Pe2Se1v96flizKk1QOR10CIyzMS7/l042CYhRnZBv+FYgU8BgUfX8LPk2xTVFoAmB5/XO09wwyo=; Received: from root (helo=closure.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.80) (envelope-from ) id 1YMnRM-0004qe-Bx; Sun, 15 Feb 2015 00:52:04 +0000 Received: by closure.thunk.org (Postfix, from userid 15806) id 0679C5806A7; Sat, 14 Feb 2015 19:51:42 -0500 (EST) From: Theodore Ts'o To: Ext4 Developers List Cc: nnk@google.com, keescook@google.com, Theodore Ts'o Subject: [PATCH] libext2fs: fix potential buffer overflow in closefs() Date: Sat, 14 Feb 2015 19:51:37 -0500 Message-Id: <1423961497-9715-1-git-send-email-tytso@mit.edu> X-Mailer: git-send-email 2.1.0 X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if s_first_meta_bg is too big" had a typo in the fix for ext2fs_closefs(). In practice most of the security exposure was from the openfs path, since this meant if there was a carefully crafted file system, buffer overrun would be triggered when the file system was opened. However, if corrupted file system didn't trip over some corruption check, and then the file system was modified via tune2fs or debugfs, such that the superblock was marked dirty and then written out via the closefs() path, it's possible that the buffer overrun could be triggered when the file system is closed. Also clear up a signed vs unsigned warning while we're at it. Thanks to Nick Kralevich for asking me to look at compiler warning in the code in question, which led me to notice the bug in f66e6ce4446. Addresses: CVE-2015-1572 Signed-off-by: Theodore Ts'o --- lib/ext2fs/closefs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c index 1f99113..ab5b2fb 100644 --- a/lib/ext2fs/closefs.c +++ b/lib/ext2fs/closefs.c @@ -287,7 +287,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags) dgrp_t j; #endif char *group_ptr; - int old_desc_blocks; + blk64_t old_desc_blocks; struct ext2fs_numeric_progress_struct progress; EXT2_CHECK_MAGIC(fs, EXT2_ET_MAGIC_EXT2FS_FILSYS); @@ -346,7 +346,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags) group_ptr = (char *) group_shadow; if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) { old_desc_blocks = fs->super->s_first_meta_bg; - if (old_desc_blocks > fs->super->s_first_meta_bg) + if (old_desc_blocks > fs->desc_blocks) old_desc_blocks = fs->desc_blocks; } else old_desc_blocks = fs->desc_blocks;