Bug 2069726 (CVE-2022-1304) - CVE-2022-1304 e2fsprogs: out-of-bounds read/write via crafted filesystem
Summary: CVE-2022-1304 e2fsprogs: out-of-bounds read/write via crafted filesystem
Keywords:
Status: NEW
Alias: CVE-2022-1304
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2069727 2073546 2073548 2073549 2073547
Blocks: 2069728 2074172
TreeView+ depends on / blocked
 
Reported: 2022-03-29 14:52 UTC by Borja Tarraso
Modified: 2022-06-07 13:32 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read/write vulnerability was found in e2fsprogs. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Borja Tarraso 2022-03-29 14:52:39 UTC
An out-of-bounds read/write vulnerability was found in e2fsprogs which can lead to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem. The issue occurs in ext2fs_extent_delete() in lib/ext2fs/extent.c when path->left is equal to -1, resulting in a call to memmove() with invalid arguments.

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=2068113

Comment 1 Borja Tarraso 2022-03-29 14:52:59 UTC
Created e2fsprogs tracking bugs for this issue:

Affects: fedora-all [bug 2069727]

Comment 2 Lukáš Czerner 2022-03-30 08:26:57 UTC
(In reply to Borja Tarraso from comment #0)
> A vulnerability was found in e2fsck. During the processing of the attached
> disk image via e2fsck -p -f /testcase an out-of-bounds write is triggered
> and causes a segmentation fault (SIGSEGV).

Hello,

thanks for the report, however there are couple of things missing. I don't see a Fedora version for which this bug is supposed to be and I don't see the version of e2fsprogs which this problem applies to. Also there is no disk image attached. Please provide the missing information and the mentioned disk image.

> 
> This bug allows an attacker to perform a denial of service and possibly
> opens up other attack vectors.

how does it allow to perform a DoS? What other attack vectors does it open?

Thanks!
-Lukas

Comment 3 Guilherme de Almeida Suckevicz 2022-04-01 20:28:54 UTC
In reply to comment #2:
> Hello,
> 
> thanks for the report, however there are couple of things missing. I don't
> see a Fedora version for which this bug is supposed to be and I don't see
> the version of e2fsprogs which this problem applies to. Also there is no
> disk image attached. Please provide the missing information and the
> mentioned disk image.

Hi Lukas,

You can find the original bug report with more information here: https://bugzilla.redhat.com/show_bug.cgi?id=2068113

> how does it allow to perform a DoS? What other attack vectors does it open?

We are still investigating this issue and that's not clear yet.

Thanks.

Comment 5 Lukáš Czerner 2022-04-11 08:32:57 UTC
Indeed this is a bug and should be fixed. But as always when fuzzer images pop up, I don't consider it a security issue as it requires a physical access and an elaborate, non standard and not very smart setup to automatically run fsck on inserted USB.

Comment 6 juneau 2022-04-11 14:16:39 UTC
Marking services-* and OSD affected/low/delegated for presence of affected code.

Couple items of note:

[0] Exploitation is highly unlikely.

[1] "Unfortunately, we were not able to reproduce the issue on RHEL UBI since it appears that `e2fsprogs` is not part of the standard repository."

Yet another argument for Red Hat to stop using non-UBI images in our managed services…

---

services-ansible-automation-hub/automation-hub/automation-hub-ansible-test:latest/e2fsprogs-1.44.1-1ubuntu1.3 https://quay.io/cloudservices/automation-hub-ansible-test:latest

services-managed-kafka/cos-fleet-manager/cos-fleet-catalog-camel:latest/e2fsprogs-1.44.5-1+deb10u3 https://quay.io/rhoas/cos-fleet-catalog-camel:latest
services-managed-kafka/strimzi/prometheus-kafka-consumer-group-exporter:latest/e2fsprogs-1.44.5-1+deb10u3 https://quay.io/app-sre/prometheus-kafka-consumer-group-exporter:latest

services-openshift-cluster-manager/ocm/golangci-lint:latest/e2fsprogs-1.46.2-2 https://quay.io/app-sre/golangci-lint:latest
services-openshift-cluster-manager/ocm/selenium-standalone-chrome-debug:latest/e2fsprogs-1.45.5-2ubuntu1 https://quay.io/app-sre/selenium-standalone-chrome-debug:latest
services-openshift-cluster-manager/ocm/selenium-standalone-firefox-debug:latest/e2fsprogs-1.45.5-2ubuntu1 https://quay.io/app-sre/selenium-standalone-firefox-debug:latest

Comment 8 Guilherme de Almeida Suckevicz 2022-04-11 17:59:45 UTC
In reply to comment #5:
> Indeed this is a bug and should be fixed. But as always when fuzzer images
> pop up, I don't consider it a security issue as it requires a physical
> access and an elaborate, non standard and not very smart setup to
> automatically run fsck on inserted USB.

Hi Lukas, thank you for your input on this.

Although that is an attack scenario, that is not the only one. An attacker can corrupt a filesystem or prepare, distribute and force an user to run e2fsck on a crafted filesystem image.

Given the conditions to trigger this vulnerability, it has at most a moderate severity.

Thanks.


Note You need to log in before you can comment on or make changes to this bug.