Bug 1187032 (CVE-2015-0247) - CVE-2015-0247 e2fsprogs: ext2fs_open2() missing first_meta_bg boundary check leading to heap buffer overflow (oCERT-015-002)
Summary: CVE-2015-0247 e2fsprogs: ext2fs_open2() missing first_meta_bg boundary check ...
Keywords:
Status: NEW
Alias: CVE-2015-0247
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150205,repor...
Depends On: 1189834
Blocks: 1187035
TreeView+ depends on / blocked
 
Reported: 2015-01-29 08:40 UTC by Vasyl Kaigorodov
Modified: 2019-06-08 20:24 UTC (History)
6 users (show)

Fixed In Version: e2fsprogs 1.42.12
Doc Type: Bug Fix
Doc Text:
A heap-based buffer overflow flaw was found in e2fsprogs. A specially crafted Ext2/3/4 file system could cause an application using the ext2fs library (for example, fsck) to crash or, possibly, execute arbitrary code.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-01-29 08:40:35 UTC
A heap buffer overflow was found in e2fsprgos lib/ext2fs/openfs.c.
It allows a trivial arbitrary memory write under certain conditions.

Given that fsck is affected, and that an ext2/3/4 image can force a filesystem check on mount, this will allow code execution on systems that have automount enabled by just plugging a device.

Acknowledgements:

Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Jose Duart of the Google Security Team as the original reporter.

Comment 1 Tomas Hoger 2015-01-29 09:37:15 UTC
(In reply to Vasyl Kaigorodov from comment #0)
> A heap buffer overflow was found in e2fsprgos lib/ext2fs/openfs.c.

The report actually mentions "a couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...)", only giving some example.  According to the reporter, these are fixed upstream in 1.42.12 and upstream is not planning to provide any patches for older versions.  So the info that was provided so far is "upgrade to 1.42.12 to fix unspecified number of issues".

Also oCERT id oCERT-015-001 is incorrect, as it was already used for a different advisory.

Comment 2 Tomas Hoger 2015-01-29 10:10:21 UTC
The issue identified in the report is in ext2fs_open2().  fs->group_desc buffer is allocated to have space for fs->desc_blocks items:

http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/tree/lib/ext2fs/openfs.c?id=de25d9c#n358

If EXT2_FEATURE_INCOMPAT_META_BG flag is set, first_meta_bg for the file system is used and not check against fs->desc_blocks:

http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/tree/lib/ext2fs/openfs.c?id=de25d9c#n381

This reported leads to overflow in the subsequent io_channel_read_blk() call.

It seem this issue was fixed upstream in:

http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4

Comment 4 Tomas Hoger 2015-02-03 14:44:42 UTC
Reporter clarified there is only one issue mentioned in comment 2, that can be triggered using various e2fsprogs tools.

Comment 8 Tomas Hoger 2015-02-05 15:04:17 UTC
Public now via oCERT-2015-002 advisory.

External Reference:

http://www.ocert.org/advisories/ocert-2015-002.html

Comment 9 Tomas Hoger 2015-02-05 15:04:59 UTC
Created e2fsprogs tracking bugs for this issue:

Affects: fedora-all [bug 1189834]

Comment 10 Fedora Update System 2015-02-09 05:27:17 UTC
e2fsprogs-1.42.12-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-02-21 04:24:33 UTC
e2fsprogs-1.42.12-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Tomas Hoger 2015-03-24 08:11:54 UTC
Statement:

This issue affects e2fsprogs packages as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue.

This issue affects e4fsprogs packages as shipped with Red Hat Enterprise Linux 5. The issue is not planned to be addressed in Red Hat Enterprise Linux 5.

This issue did not affect e2fsprogs packages as shipped with Red Hat Enterprise Linux 5.


Note You need to log in before you can comment on or make changes to this bug.