lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 26 Dec 2019 23:49:36 -0500
From:   "Theodore Y. Ts'o" <tytso@....edu>
To:     Anatoly Pugachev <matorola@...il.com>
Cc:     linux-ext4@...r.kernel.org
Subject: Re: e2fsprogs.git dumpe2fs / mke2fs sigserv on sparc64

On Wed, Dec 18, 2019 at 03:01:03AM +0300, Anatoly Pugachev wrote:
> On Tue, Dec 17, 2019 at 9:01 PM Anatoly Pugachev <matorola@...il.com> wrote:
> >
> > Getting current git e2fsprogs of dumpe2fs/mke2fs (and probably others)
> > segfaults (via make check) with the following backtrace...

Hi,

Thanks for reporting this bug.  It should be fixed with this commit:

commit c9a8c53b17ccc4543509d55ff3b343ddbfe805e5
Author: Theodore Ts'o <tytso@....edu>
Date:   Thu Dec 26 23:19:54 2019 -0500

    libext2fs: fix crash in ext2fs_open2() on Big Endian systems
    
    Commit e6069a05: ("Teach ext2fs_open2() to honor the
    EXT2_FLAG_SUPER_ONLY flag") changed how the function
    ext2fs_group_desc() handled a request for a gdp pointer for a group
    larger than the number of groups in the file system; it now returns
    NULL, instead of returning a pointer beyond the end of the array.
    
    Previously, the ext2fs_open2() function would swap all of the block
    group descriptors in a block, even if they are beyond the end of the
    file system.  This was OK, since we were not overrunning the allocated
    memory, since it was rounded to a block boundary.  But now that
    ext2fs_group_desc() would return NULL for those gdp, it would cause
    ext2fs_open2(), when it was byte swapping the block group descriptors
    on Big Endian systems, to dereference a null pointer and crash.
    
    This commit adds a NULL pointer check to avoid byte swapping those
    block group descriptors in a bg descriptor block, but which are beyond
    the end of the file system, to address this crash.
    
    Signed-off-by: Theodore Ts'o <tytso@....edu>
    Reported-by: Anatoly Pugachev <matorola@...il.com>

diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c
index ec2d6cb4..3331452d 100644
--- a/lib/ext2fs/openfs.c
+++ b/lib/ext2fs/openfs.c
@@ -435,7 +435,8 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
 		gdp = (struct ext2_group_desc *) dest;
 		for (j=0; j < groups_per_block*first_meta_bg; j++) {
 			gdp = ext2fs_group_desc(fs, fs->group_desc, j);
-			ext2fs_swap_group_desc2(fs, gdp);
+			if (gdp)
+				ext2fs_swap_group_desc2(fs, gdp);
 		}
 #endif
 		dest += fs->blocksize*first_meta_bg;
@@ -455,7 +456,8 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
 		for (j=0; j < groups_per_block; j++) {
 			gdp = ext2fs_group_desc(fs, fs->group_desc,
 						i * groups_per_block + j);
-			ext2fs_swap_group_desc2(fs, gdp);
+			if (gdp)
+				ext2fs_swap_group_desc2(fs, gdp);
 		}
 #endif
 		dest += fs->blocksize;

Powered by blists - more mailing lists