This addresses a potential security vulnerability where an untrusted
filesystem can be corrupted in such a way that a program using
libext2fs will allocate a buffer which is far too small. This can
lead to either a crash or potentially a heap-based buffer overflow
crash. No known exploits exist, but main concern is where an
untrusted user who possesses privileged access in a guest Xen
environment could corrupt a filesystem which is then accessed by the
pygrub program, running as root in the dom0 host environment, thus
allowing the untrusted user to gain privileged access in the host OS.
Thanks to the McAfee AVERT Research group for reporting this issue.
Addresses CVE-2007-5497.
Signed-off-by: Rafal Wojtczuk <rafal_wojtczuk@mcafee.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
There were still some %d's lurking when we print blocks & inodes; also
many of the counters in the e2fsck_struct were signed, and probably
need to be unsigned to avoid overflows.
Signed-off-by: Eric Sandeen <esandeen@redhat.com>
alloc.c, bb_inode.c, bitmaps.c, bitops.h, block.c, bmap.c, bmove.c,
brel.h, cmp_bitmaps.c, dblist.c, dblist_dir.c, dir_iterate.c,
expanddir.c, ext2fs.h, ext2fsP.h, fileio.c, finddev.c, get_pathname.c,
icount.c, inode.c, irel.h, irel_ma.c, ismounted.c, link.c, lookup.c,
mkdir.c, mkjournal.c, namei.c, newdir.c, read_bb_file.c, test_io.c,
tst_iscan.c, unix_io.c, unlink.c: Change use of ino_t to ext2_ino_t,
to protect applications that attempt to compile
-D_FILE_OFFSET_BITS=64, since this inexplicably changes ino_t(!?). So
we use ext2_ino_t to avoid an unexpected ABI change.
alloc_tables.c (ext2fs_allocate_group_table): Fix bug so that if the
stride length hits a bad value, we retry the block allocation starting
at the beginning of the block group.
ext2fs.h, bb_inode.c, block.c, bmove.c, dir_iterate.c, expanddir.c,
ext2fsP.h, read_bb.c: Change blkcnt_t to be e2_blkcnt_t to avoid
collision with LFS API.
ext2fs.h: If __STRICT_ANSI__ is defined and we're on a platform with
32 bit longs, then we need to manually define __s64 and __u64, since
the current kernel header files don't define these if __STRICT_ANSI__
is defined. This is a problem if we are compiling with full GCC
warnings, since we do need 64 bit support.
Makefile.in (OBJS): Remove bmove.o from files to be built, since we're
not using ext2fs_move_blocks() and there is some question as to its
usefulness in its current form.
bmap.c (block_bmap): Remove unused function.
bmove.c (process_block): Fix -Wall warning.
ChangeLog, debugfs.c, debugfs.h, dump.c:
debugfs.h: Add declaration for do_dirty_filsys() to prevent -Wall
warnings.
debugfs.c (copy_file):
dump.c (dump_file): Fix -Wall warning caused by signed/unsigned mismatch.
block.c (ext2fs_block_iterate3): Make the ref_offset field contain the
offset into the inode.i_blocks array when ref_block is zero. Since we
haven't done a formal release of e2fsprogs since block_iterate2 was
first introduced, I removed block_iterate2, and renamed block_iterate3
to be block_iterate2.
bb_inode.c, bmove.c, dblist_dir.c, dir_iterate.c, expanddir.c,
ext2fs.h, ext2fsP.h, read_bb.c: Change use of block_iterate and
block_iterate2 to block_iterate2 with the new prototype for the
interator function. (using blkcnt_t forr blockcount)
ChangeLog, debugfs.c, ls.c, lsdel.c:
debugfs.c, ls.c, lsdel.c: Add support for large files. (The high 32
bits share space with the i_dir_acl field.)
ext2_io.h, ext2fs.h: Protect against being included multiple times.
bmove.c: #include ext2fsP.h instead of "ext2fs/ext2fs.h"
test_io.c (test_flush): Add a debugging printf when the flush method
is called.
rw_bitmaps.c (ext2fs_read_bitmaps): If the bitmaps are already read
in, return right away.
inode.c (ext2fs_open_inode_scan): Initialize the group variables
so that we don't need to call get_next_blockgroup() the first
time around. Saves a bit of time, and prevents us from
needing to assign -1 to current_group (which is an unsigned
value).
icount.c (insert_icount_el): Cast the estimated number of inodes
from a float to an ino_t.
alloc.c, alloc_tables.c, badlbocks.c, bb_compat.c, bb_inode.c,
bitmaps.c, bitops.c, block.c, bmap.c, bmove.c, brel_ma.c,
check_desc.c, closefs.c, cmp_bitmaps.c, dblist.c,
dblist_dir.c, dir_iterate.c, dirblock.c, dupfs.c, expanddir.c,
ext2fs.h, fileio.c, freefs.c, get_pathname.c, getsize.c,
icount.c, initialize.c, inline.c, inode.c, irel_ma.c,
ismounted.c, link.c, lookup.c, mkdir.c, namei.c, native.c,
newdir.c, openfs.c, read_bb.c, read_bb_file.c, rs_bitmap.c,
rw_bitmaps.c, swapfs.c, test_io.c, tst_badblocks.c,
tst_getsize.c, tst_iscan.c, unix_io.c, unlink.c, valid_blk.c,
version.c: If EXT2_FLAT_INCLUDES is defined, then assume all
of the ext2-specific header files are in a flat directory.
block.c, bmove.c, dirblock.c, fileio.c: Explicitly cast
all assignments from void * to be compatible with C++.
closefs.c (ext2fs_flush): Add a call to io_channel_flush() to
make sure the contents of the disk are flushed to disk.
dblist.c (ext2fs_add_dir_block): Change new to be new_entry to
avoid C++ namespace clash.
bitmaps.c (ext2fs_copy_bitmap): Change new to be new_map to
avoid C++ namespace clash.
ext2fs.h, bb_inode.c, block.c, bmove.c, brel.h, brel_ma.c,
irel.h, irel_ma.c, dblist.c, dblist_dir.c, dir_iterate.c,
ext2fsP.h, expanddir.c, get_pathname.c, inode.c, link.c,
unlink.c: Change private to be priv_data (to avoid C++
namespace clash)
dblist.c (ext2fs_get_num_dirs): Make ext2fs_get_num_dirs more paranoid
about validating the directory counts from the block group
information.
all files: Don't include stdlib.h anymore; include it in ext2_fs.h,
since that file requires stdlib.h
ChangeLog, Makefile.in, dirinfo.c:
dirinfo.c (e2fsck_add_dir_info): Use ext2fs_get_num_dirs instead of
e2fsck_get_num_dirs, which has been removed.
Makefile.in (PROGS): Remove @EXTRA_PROGS@, since we don't want to
compile and install flushb.
ChangeLog, configure.in:
Remove @EXTRA_PROGS@, since we aren't using it in 2fsck/Makefile.in anymore
ChangeLog, Makefile.in:
Install debugfs in /sbin, instead of /usr/sbin.
libext2fs.texinfo:
Update version string to be 1.12
Makefile.in:
Fix bug in find script which made the exclusion list, where a '-' was
missing from an -name option.
Added definition of ext2fs_get_mem, ext2fs_free_mem, and
ext2fs_resize_mem in ext2fs.h, and changed all library routines to use
these wrapper functions.
alloc.c (ext2fs_alloc_block): New function which allocates a
block and updates the filesystem accounting records
appropriately.
ext2_err.et.in: Added new error codes: EXT2_NO_MEMORY,
EXT2_INVALID_ARGUMENT, EXT2_BLOCK_ALLOC_FAIL, EXT2_INODE_ALLOC_FAIL,
EXT2_NOT_DIRECTORY
Change various library files to use these functions instead of EINVAL,
ENOENT, etc.
ChangeLog, pass1.c, pass3.c:
pass3.c (get_lost_and_found): Check error return of
EXT2_FILE_NOT_FOUND instead of ENOTDIR
pass1.c (pass1_check_directory): Return EXT2_NO_DIRECTORY instead of
ENOTDIR
expect.icount:
Change expected error string to be "Invalid argument passed to ext2 library"
instead of just "Invalid argument"
llseek.c (ext2fs_llseek): Fix type error for ext2fs_llseek()
icount.c (ext2fs_icount_validate):
bmove.c (process_block): Fix lint error in type for fprintf().
inode.c (ext2fs_check_directory): Add support for the callback
to return the error code EXT2_ET_CALLBACK_NOTHANDLED.
ChangeLog, mke2fs.c:
Make parse_raid_opts return a void, to fix a -Wall warning.
block.c (ext2fs_block_iterate2): Use retval which is a errcode_t type.
bitmaps.c (make_bitmap): Use size_t instead of int where appropriate.
bb_inode.c (set_bad_block_proc): Add #pragma argsused for Turbo C.
alloc.c (ext2fs_new_inode): Use ino_t instead of int for the group number.
get_pathname.c: Use ino_t instead of int where appropriate.
ext2fs.h: Make the magic structure element be errcode_t instead of int.
alloc.c alloc_tables.c badblocks.c bb_compat.c bb_inode.c
bitmaps.c block.c bmove.c brel_ma.c check_desc.c closefs.c
cmp_bitmaps.c dblist.c dblist_dir.c dir_iterate.c dirblock.c
dupfs.c expanddir.c freefs.c get_pathname.c icount.c
initialize.c inline.c inode.c irel_ma.c link.c llseek.c
lookup.c mkdir.c namei.c newdir.c read_bb.c read_bb_file.c
rs_bitmap.c rw_bitmaps.c swapfs.c test_io.c tst_badblocks.c
tst_iscan.c unix_io.c unlink.c valid_blk.c version.c: Add an
#ifdef for HAVE_UNISTD_H
Fix bug; the current inode number wasn't being set by the
goto_blockgroup function.
bmove.c, ext2fs.h:
Added new argument to bmove, so that the caller can pass the
allocation bitmap. If not specified, the allocation bitmap defaults
to fs->block_map.
bmove.c (ext2fs_move_blocks): New function which takes a bitmap of
blocks which need to be moved, and moves those blocks to another
location in the filesystem.
rs_bitmap.c (ext2fs_resize_generic_bitmap): When expanding a bitmap,
make sure all of the new parts of the bitmap are zero.
bitmaps.c (ext2fs_copy_bitmap): Fix bug; the destination bitmap wasn't
being returned to the caller.
alloc_tables.c (ext2fs_allocate_group_table): Add new function
ext2fs_allocate_group_table() which sets the group tables for a
particular block group. The relevant code was factored out of
ext2fs_allocate_tables().
dblist.c (make_dblist): Adjust the initial size of the directory block
list to be a bit more realize (ten plus twice the number of
directories in the filesystem).
Check in interim work.
Theodore Ts'o