e2fsprogs: patch CVE-2022-1304 (#3521)

* e2fsprogs: patch CVE-2022-1304 * e2fsprogs: manifests: update entry Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
2022-08-11 18:22:06 +05:30 · 2022-08-11 18:22:06 +05:30 · 0a903a3e01
--- a/SPECS/e2fsprogs/CVE-2019-5188.patch
+++ b/SPECS/e2fsprogs/CVE-2019-5188.patch
@ -1,100 +0,0 @@
-From 87de28fb02f853892bd77b5c84a1609afa0bab1f Mon Sep 17 00:00:00 2001
-From: Theodore Ts'o <tytso@mit.edu>
-Date: Thu, 19 Dec 2019 19:37:34 -0500
-Subject: [PATCH 1/2] e2fsck: abort if there is a corrupted directory block
- when rehashing
-
-In e2fsck pass 3a, when we are rehashing directories, at least in
-theory, all of the directories should have had corruptions with
-respect to directory entry structure fixed.  However, it's possible
-(for example, if the user declined a fix) that we can reach this stage
-of processing with a corrupted directory entries.
-
-So check for that case and don't try to process a corrupted directory
-block so we don't run into trouble in mutate_name() if there is a
-zero-length file name.
-
-Addresses: TALOS-2019-0973
-Addresses: CVE-2019-5188
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
- e2fsck/rehash.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
-index 7c4ab08..27e1429 100644
--- a/e2fsck/rehash.c
-+++ b/e2fsck/rehash.c
-@@ -159,6 +159,10 @@ static int fill_dir_block(ext2_filsys fs,
- 		dir_offset += rec_len;
- 		if (dirent->inode == 0)
- 			continue;
-+		if ((name_len) == 0) {
-+			fd->err = EXT2_ET_DIR_CORRUPTED;
-+			return BLOCK_ABORT;
-+		}
- 		if (!fd->compress && (name_len == 1) &&
- 		    (dirent->name[0] == '.'))
- 			continue;
-@@ -398,6 +402,11 @@ static int duplicate_search_and_fix(e2fsck_t ctx, ext2_filsys fs,
- 			continue;
- 		}
- 		new_len = ext2fs_dirent_name_len(ent->dir);
-+		if (new_len == 0) {
-+			 /* should never happen */
-+			ext2fs_unmark_valid(fs);
-+			continue;
-+		}
- 		memcpy(new_name, ent->dir->name, new_len);
- 		mutate_name(new_name, &new_len);
- 		for (j=0; j < fd->num_array; j++) {
-- 
-2.17.1
-
-
-From 2ab2c4ac3db3c287fd5ddadf7ed1f1641249859a Mon Sep 17 00:00:00 2001
-From: Theodore Ts'o <tytso@mit.edu>
-Date: Thu, 19 Dec 2019 19:45:06 -0500
-Subject: [PATCH 2/2] e2fsck: don't try to rehash a deleted directory
-
-If directory has been deleted in pass1[bcd] processing, then we
-shouldn't try to rehash the directory in pass 3a when we try to
-rehash/reoptimize directories.
-
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
- e2fsck/pass1b.c | 4 ++++
- e2fsck/rehash.c | 2 ++
- 2 files changed, 6 insertions(+)
-
-diff --git a/e2fsck/pass1b.c b/e2fsck/pass1b.c
-index 5693b9c..bca701c 100644
--- a/e2fsck/pass1b.c
-+++ b/e2fsck/pass1b.c
-@@ -705,6 +705,10 @@ static void delete_file(e2fsck_t ctx, ext2_ino_t ino,
- 		fix_problem(ctx, PR_1B_BLOCK_ITERATE, &pctx);
- 	if (ctx->inode_bad_map)
- 		ext2fs_unmark_inode_bitmap2(ctx->inode_bad_map, ino);
-+	if (ctx->inode_reg_map)
-+		ext2fs_unmark_inode_bitmap2(ctx->inode_reg_map, ino);
-+	ext2fs_unmark_inode_bitmap2(ctx->inode_dir_map, ino);
-+	ext2fs_unmark_inode_bitmap2(ctx->inode_used_map, ino);
- 	ext2fs_inode_alloc_stats2(fs, ino, -1, LINUX_S_ISDIR(dp->inode.i_mode));
- 	quota_data_sub(ctx->qctx, &dp->inode, ino,
- 		       pb.dup_blocks * fs->blocksize);
-diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
-index 27e1429..0a5888a 100644
--- a/e2fsck/rehash.c
-+++ b/e2fsck/rehash.c
-@@ -1024,6 +1024,8 @@ void e2fsck_rehash_directories(e2fsck_t ctx)
- 			if (!ext2fs_u32_list_iterate(iter, &ino))
- 				break;
- 		}
-+		if (!ext2fs_test_inode_bitmap2(ctx->inode_dir_map, ino))
-+			continue;
- 
- 		pctx.dir = ino;
- 		if (first) {
-- 
-2.17.1
-
--- a/SPECS/e2fsprogs/CVE-2022-1304.patch
+++ b/SPECS/e2fsprogs/CVE-2022-1304.patch
@ -0,0 +1,58 @@
+From ab51d587bb9b229b1fade1afd02e1574c1ba5c76 Mon Sep 17 00:00:00 2001
+From: Lukas Czerner <lczerner@redhat.com>
+Date: Thu, 21 Apr 2022 19:31:48 +0200
+Subject: [PATCH] libext2fs: add sanity check to extent manipulation
+
+It is possible to have a corrupted extent tree in such a way that a leaf
+node contains zero extents in it. Currently if that happens and we try
+to traverse the tree we can end up accessing wrong data, or possibly
+even uninitialized memory. Make sure we don't do that.
+
+Additionally make sure that we have a sane number of bytes passed to
+memmove() in ext2fs_extent_delete().
+
+Note that e2fsck is currently unable to spot and fix such corruption in
+pass1.
+
+Backported to v1.46.5 by @mfrw on 2022-08-11
+
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+Reported-by: Nils Bars <nils_bars@t-online.de>
+Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2068113
+Addresses: CVE-2022-1304
+Addresses-Debian-Bug: #1010263
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
+---
+ lib/ext2fs/extent.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c
+index b324c7b0..1a206a16 100644
+--- a/lib/ext2fs/extent.c
+++ b/lib/ext2fs/extent.c
+@@ -495,6 +495,10 @@ retry:
+ 			ext2fs_le16_to_cpu(eh->eh_entries);
+ 		newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max);
+ 
+		/* Make sure there is at least one extent present */
+		if (newpath->left <= 0)
+			return EXT2_ET_EXTENT_NO_DOWN;
+
+ 		if (path->left > 0) {
+ 			ix++;
+ 			newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block);
+@@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags)
+ 
+ 	cp = path->curr;
+ 
+	/* Sanity check before memmove() */
+	if (path->left < 0)
+		return EXT2_ET_EXTENT_LEAF_BAD;
+
+ 	if (path->left) {
+ 		memmove(cp, cp + sizeof(struct ext3_extent_idx),
+ 			path->left * sizeof(struct ext3_extent_idx));
+-- 
+2.37.1
+
--- a/SPECS/e2fsprogs/e2fsprogs.spec
+++ b/SPECS/e2fsprogs/e2fsprogs.spec
@ -1,13 +1,14 @@
 Summary:        Contains the utilities for the ext2 file system
 Name:           e2fsprogs
 Version:        1.46.5
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2 AND LGPLv2 AND BSD AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/Base
 URL:            http://e2fsprogs.sourceforge.net
 Source0:        https://prdownloads.sourceforge.net/e2fsprogs/%{name}-%{version}.tar.gz
+Patch0:         CVE-2022-1304.patch
 Requires:       %{name}-libs = %{version}-%{release}
 Conflicts:      toybox

@ -36,7 +37,7 @@ Requires:       %{name} = %{version}-%{release}
 These are the additional language files of e2fsprogs

 %prep
-%setup -q
+%autosetup -p1
 sed -i -e 's|^LD_LIBRARY_PATH.*|&:/tools/lib|' tests/test_config

 %build
@ -143,6 +144,10 @@ done
 %defattr(-,root,root)

 %changelog
+* Thu Aug 11 2022 Muhammad Falak <mwani@microsoft.com> - 1.46.5-3
+- Switch to `%autosetup` instead of `%setup`
+- Patch CVE-2022-1304
+
 * Mon Jul 18 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.46.5-2
 - Running package tests in a single thread and printing logs for failures.

--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@ -183,7 +183,7 @@ rpm-lang-4.17.0-9.cm2.aarch64.rpm
 rpm-libs-4.17.0-9.cm2.aarch64.rpm
 cpio-2.13-4.cm2.aarch64.rpm
 cpio-lang-2.13-4.cm2.aarch64.rpm
-e2fsprogs-libs-1.46.5-2.cm2.aarch64.rpm
+e2fsprogs-libs-1.46.5-3.cm2.aarch64.rpm
 libsolv-0.7.20-1.cm2.aarch64.rpm
 libsolv-devel-0.7.20-1.cm2.aarch64.rpm
 libssh2-1.9.0-2.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@ -183,7 +183,7 @@ rpm-lang-4.17.0-9.cm2.x86_64.rpm
 rpm-libs-4.17.0-9.cm2.x86_64.rpm
 cpio-2.13-4.cm2.x86_64.rpm
 cpio-lang-2.13-4.cm2.x86_64.rpm
-e2fsprogs-libs-1.46.5-2.cm2.x86_64.rpm
+e2fsprogs-libs-1.46.5-3.cm2.x86_64.rpm
 libsolv-0.7.20-1.cm2.x86_64.rpm
 libsolv-devel-0.7.20-1.cm2.x86_64.rpm
 libssh2-1.9.0-2.cm2.x86_64.rpm
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@ -57,11 +57,11 @@ docbook-dtd-xml-4.5-11.cm2.noarch.rpm
 docbook-style-xsl-1.79.1-13.cm2.noarch.rpm
 dwz-0.14-1.cm2.aarch64.rpm
 dwz-debuginfo-0.14-1.cm2.aarch64.rpm
-e2fsprogs-1.46.5-2.cm2.aarch64.rpm
-e2fsprogs-debuginfo-1.46.5-2.cm2.aarch64.rpm
-e2fsprogs-devel-1.46.5-2.cm2.aarch64.rpm
-e2fsprogs-lang-1.46.5-2.cm2.aarch64.rpm
-e2fsprogs-libs-1.46.5-2.cm2.aarch64.rpm
+e2fsprogs-1.46.5-3.cm2.aarch64.rpm
+e2fsprogs-debuginfo-1.46.5-3.cm2.aarch64.rpm
+e2fsprogs-devel-1.46.5-3.cm2.aarch64.rpm
+e2fsprogs-lang-1.46.5-3.cm2.aarch64.rpm
+e2fsprogs-libs-1.46.5-3.cm2.aarch64.rpm
 elfutils-0.186-1.cm2.aarch64.rpm
 elfutils-debuginfo-0.186-1.cm2.aarch64.rpm
 elfutils-default-yama-scope-0.186-1.cm2.noarch.rpm
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@ -57,11 +57,11 @@ docbook-dtd-xml-4.5-11.cm2.noarch.rpm
 docbook-style-xsl-1.79.1-13.cm2.noarch.rpm
 dwz-0.14-1.cm2.x86_64.rpm
 dwz-debuginfo-0.14-1.cm2.x86_64.rpm
-e2fsprogs-1.46.5-2.cm2.x86_64.rpm
-e2fsprogs-debuginfo-1.46.5-2.cm2.x86_64.rpm
-e2fsprogs-devel-1.46.5-2.cm2.x86_64.rpm
-e2fsprogs-lang-1.46.5-2.cm2.x86_64.rpm
-e2fsprogs-libs-1.46.5-2.cm2.x86_64.rpm
+e2fsprogs-1.46.5-3.cm2.x86_64.rpm
+e2fsprogs-debuginfo-1.46.5-3.cm2.x86_64.rpm
+e2fsprogs-devel-1.46.5-3.cm2.x86_64.rpm
+e2fsprogs-lang-1.46.5-3.cm2.x86_64.rpm
+e2fsprogs-libs-1.46.5-3.cm2.x86_64.rpm
 elfutils-0.186-1.cm2.x86_64.rpm
 elfutils-debuginfo-0.186-1.cm2.x86_64.rpm
 elfutils-default-yama-scope-0.186-1.cm2.noarch.rpm