This addresses a potential security vulnerability where an untrusted
filesystem can be corrupted in such a way that a program using
libext2fs will allocate a buffer which is far too small. This can
lead to either a crash or potentially a heap-based buffer overflow
crash. No known exploits exist, but main concern is where an
untrusted user who possesses privileged access in a guest Xen
environment could corrupt a filesystem which is then accessed by the
pygrub program, running as root in the dom0 host environment, thus
allowing the untrusted user to gain privileged access in the host OS.
Thanks to the McAfee AVERT Research group for reporting this issue.
Addresses CVE-2007-5497.
Signed-off-by: Rafal Wojtczuk <rafal_wojtczuk@mcafee.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Ubuntu has init script and installer issues which cause them to have
significant problems with time zones. This is compounded with a
relatively inexperienced user base who want to dual boot with Windows
and so have their hardware clocks tick localtime.
Addresses-Ubuntu-Bug: #131201
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
A missing dependency on ss_err.h meant that std_rqs.o could fail when
e2fsprogs was being built using make -j.
Thanks to Robert Kerr for reporting this bug.
Addresses-Sourceforge-Bug: #1842331
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
The heuristics in blkid/devname.c probe_all() for scanning whole disks
with no partitions assume that a device name with no digit on the end
will always be present as a delineator, i.e.:
sda
sda1
sdb
sdc
In this case, when sdc is seen, it's the clue to go back and scan sdb.
However, for something like:
sda
sda1
sdb
loop0
this falls down, and sdb is never scanned.
(thanks to Karel Zak for pointing this out).
Addresses-Red-Hat-Bugzilla: #400321
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
We cannot merge a removed directory entry to just arbitrary previous
directory entry. The previous entry must be in the same block. So
really bad things can happen when are deleting the first directory
entry in a block where the last directory entry in the previous
directory block is not in use. We fix this bug by checking to see if
the current entry is not the first one in the block before trying to
merge it to the previous entry.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
On my FC8 install, ismounted.c fails to build because open(O_CREAT) is
used without passing a mode. The following trivial patch fixes it.
Signed-off-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
In raw mode (-r), e2image appends an extra byte to the image-file's
end if the last block requires a sparse write. Consequently, the
resulting image-file is one byte larger than the original in
size. This patch fixes the problem by seeking to one less than the
given offset, so that the byte write does not overflow into the next
block.
This problem can be reproduced by doing an e2image -r dev image-file
and comparing the original and resulting image sizes. This assumes the
image is sparse at the end. For my tests, I created a 100MB sparse
image with two files.
Signed-off-by: Arun Thomas <thomasar@us.ibm.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
The -R option is only used for backwards compatibility, and -E is
preferred, so change the usage message accordingly.
Signed-off-by: Coly Li <coyli@suse.de>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
squashfs has no uuid or labels, so all we need is the magic
(for big-endian too!)
Addresses-Red-Hat-Bugzilla: #305151
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
libblkid: recognize squashfs filesystems
squashfs has no uuid or labels, so all we need is the magic.
Addresses-Red-Hat-Bugzilla: #305151
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
If the primary superblock differs from the backup superblock in
certain key respects, force a full check (if e2fsck was invoked in
preen mode). If the filesystem check passes cleanly, and the
filesystem was opened in read/write mode, then write the primary
superblock to all of the backups.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
If e2fsck adds or deletes any of the feature bitmasks, clear
EXT2_FLAG_MASTER_SB_ONLY so the backup superblocks are updated when
e2fsck finishes.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
ext2fs_dblist_dir_iterate() calls ext2fs_dblist_iterate(), which calls
ext2fs_process_dir_block(), which in turn calls the helper function
db_dir_proc() which calls callback function passed into
ext2fs_dblist_dir_iterate(). At each stage the conventions for
signalling requests to abort the iteration or to signal errors
changes, db_dir_proc() was not properly mapping the abort request back
to ext2fs_dblist_iterate().
Currently db_dir_proc() is ignoring errors (i/o errors or directory
block corrupt errors) from ext2fs_process_dir_block(), since the main
user of ext2fs_dblist_dir_iterate() is e2fsck, for which this is the
correct behavior. In the future ext2fs_dblist_dir_iterate() could
take a flag which would cause it to abort if
ext2fs_process_dir_block() returns an error; however, it's not clear
how useful this would be since we don't have a way of signalling the
exact nature of which block had the error, and the caller wouldn't
have a good way of knowing what percentage of the directory block list
had been processed. Ultimately this may not be the best interface for
applications that need that level of error reporting.
Thanks to Vladimir V. Saveliev <vs@clusterfs.com> for pointing out
this problem.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
The FAT filesystem doesn't have its superblock with a set of magic
strings in a fixed location. Therefore, we must also check for the
FAT filesystem if it looks like we have an MBR at the beginning of the
partition. We previously checked if the first byte was a jump
instruction but that missed some USB disks with only one bootable
partition. Now we check for the MBR signature (0x55AA at offset 510)
as well as any partition where byte 0 is \351 or \353.
Signed-off-by: Karel Zak <kzak@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
If superblock mount time or last write time is in the future, and the
user refuses to fix the problem, don't mark the filesystem as being
invalid and needing to be checked.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
The Ubuntu init scripts don't properly set the system time correctly
from hardware clock if the hardware clock is configured to tick local
time instead of GMT time.
Work around this as best as we can by providing an option in
/etc/e2fsck.conf which can be set on Ubuntu systems:
[options]
buggy_init_scripts = 1
Addresses-Debian-Bug: #441093
Addresses-Ubuntu-Bug: #131201
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
If a user specifies a bind mount with a non-zero fsck pass number, for
example:
/foo /bar ext3 bind,defaults 1 3
print a warning and ignore the fstab entry.
Addresses-Red-Hat-Bugzilla: #151533
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Older e2fsck's would crash; e2fsck should now automatically retry
using the backup superblock if it is present.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
The resize2fs tests, r_move_itable and r_resize_inode, were not
deleting the test.img tmpfile after completing the test.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
E2fsck currently only retries with the backup superblock if the
primary superblock is missing (e.g., overwritten with garbage). If
the superblock is just corrupted enough that it looks like ext2/3/4
superblock, but it is corrupt enough that ext2fs_open2() returns an
error, e2fsck stops without retrying. Let's fix this oversight.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Any attempt to open a filesystem with s_inode_size set to zero causes
a floating point exception. This is true for e2fsck, dumpe2fs,
e2image, etc. Fix ext2fs_open2() so that it returns the error code
EXT2_ET_CORRUPT_SUPERBLOCK instead of crashing.
Thanks to Dean Bender for reporting this bug.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
atoi() does not check for errors so it shouldn't be used for human
input. For example, if the user enters the command "e2fsck -C -n" and
forgets that -C requires an argument, the -n will be used as the
argument to -C, and not parsed as an option. When using sscanf(),
this error case can be detected.
Addresses-Debian-Bug: #435381
Signed-off-by: Bernd Schubert <bs@q-leap.de>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Fix up $(root_sysconfdir) handling misc/Makefile.in so that
make install and make uninstall works correctly when $prefix != /.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Allow files to be preallocated on-disk up to the next multiple of the
system's page size without complaining about extra blocks.
Signed-off-by: Andreas Dilger <adilger@clusterfs.com>
Signed-off-by: Girish Shilamkar <girish@clusterfs.com>
Signed-off-by: Kalpak Shah <kalpak@clusterfs.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
The test in ext2fs_check_desc() is off by one; if the inode table
goes all the way to the last block of the block group, it will
falsely assert that it has extended past it. The last block
of a range is start + len -1, not start + len.
You can create (valid) filesystems that will cause e2fsck to complain
via one of the following mkfs commands:
mkfs.ext3 -F -b 1024 /dev/sdb1 2046000000
mke2fs -j -F -b 4096 -m 0 -N 5217280 /mnt/test/fsfile2 327680
mkfs.ext2 -F -b 1024 -m 0 -g 256 -N 3744 fsfile 1024
Addresses-Red-Hat-Bugzilla: #214765
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
For some odd geometries*, mkfs will try to allocate inode tables off
the end of the block group and fail, rather than warning that too
many inodes have been requested.
This is because when ext2fs_initialize calculates metadata overhead,
it is only adding in group descriptor blocks and the superblock
if the *last* bg contains them - but the first bg also has all of
the various metadata bits taking up space.
We need to calculate the overhead both for the first block group and
the last block groups separately, since the two different tests need
to know what the overheads are for those two cases, which may be
different.
*for example "mke2fs -b 1024 -m 0 -g 256 -N 3745 fsfile 1024"
(Note, the test here is a little funky; the expected output is
actually a mkfs failure - but a proper failure instead of the
allocator catching the problem at the last minute)
Addresses-Red-Hat-Bugzilla: #241767
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
We need to set t->i_file_acl before we test it in
ext2fs_inode_data_blocks()
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
A recent change to e2fsck_add_dir_info() to use tdb files to check
filesystems with a very large number of filesystems had a typo which
caused us to resize the wrong data structure. This would cause a
array overrun leading to malloc pointer corruptions. Since we
normally can very accurately predict how big the the dirinfo array
needs to be, this bug only got triggered on very badly corrupted
filesystems.
Thanks to Andreas Dilger for submitting the test case which discovered
this problem, and to Kalpak Shah for writing a random testing script
which created the test case.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Recently, one of our customers found this message in pass2 of e2fsck
while doing some regression testing:
"Entry '4, 0x695a, 0x81ff, 0x0040, 0x8320, 0xa192, 0x0021' in ??? (136554) has
rec_len of 14200, should be 26908."
Both the displayed rec_len and the "should be" value are bogus. The
reason is that salvage_directory sets a offset beyond blocksize
leading to bogus messages.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
This particular bit of code has caused problems before, so make it
easier to debug problems caused by the probe verification looping
forever here.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Theodore Ts'o