Bug#454760: e2fsprogs: CVE-2007-5497 multiple integer overflows

[Nico Golde]

Package: e2fsprogs
Version: 1.37-2sarge1
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for e2fsprogs.

CVE-2007-5497[0]:
| Multiple integer overflows in libext2fs in e2fsprogs allow
| user-assisted remote attackers to execute arbitrary code via a crafted
| filesystem image.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

From what I can see the attached patch fixes this issues. I 
extracted it from the SuSE update.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5497

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -ur e2fsprogs-1.40.2.orig/lib/ext2fs/badblocks.c e2fsprogs-1.40.2/lib/ext2fs/badblocks.c
--- e2fsprogs-1.40.2.orig/lib/ext2fs/badblocks.c	2007-06-30 05:58:34.000000000 -0700
+++ e2fsprogs-1.40.2/lib/ext2fs/badblocks.c	2007-11-06 04:41:51.000000000 -0800
@@ -42,7 +42,7 @@
 	bb->magic = EXT2_ET_MAGIC_BADBLOCKS_LIST;
 	bb->size = size ? size : 10;
 	bb->num = num;
-	retval = ext2fs_get_mem(bb->size * sizeof(blk_t), &bb->list);
+	retval = ext2fs_get_array(bb->size, sizeof(blk_t), &bb->list);
 	if (retval) {
 		ext2fs_free_mem(&bb);
 		return retval;
diff -ur e2fsprogs-1.40.2.orig/lib/ext2fs/bb_inode.c e2fsprogs-1.40.2/lib/ext2fs/bb_inode.c
--- e2fsprogs-1.40.2.orig/lib/ext2fs/bb_inode.c	2007-06-30 05:58:34.000000000 -0700
+++ e2fsprogs-1.40.2/lib/ext2fs/bb_inode.c	2007-11-06 04:41:51.000000000 -0800
@@ -68,7 +68,7 @@
 	rec.bad_block_count = 0;
 	rec.ind_blocks_size = rec.ind_blocks_ptr = 0;
 	rec.max_ind_blocks = 10;
-	retval = ext2fs_get_mem(rec.max_ind_blocks * sizeof(blk_t),
+	retval = ext2fs_get_array(rec.max_ind_blocks, sizeof(blk_t),
 				&rec.ind_blocks);
 	if (retval)
 		return retval;
diff -ur e2fsprogs-1.40.2.orig/lib/ext2fs/block.c e2fsprogs-1.40.2/lib/ext2fs/block.c
--- e2fsprogs-1.40.2.orig/lib/ext2fs/block.c	2007-07-12 08:35:46.000000000 -0700
+++ e2fsprogs-1.40.2/lib/ext2fs/block.c	2007-11-06 04:41:51.000000000 -0800
@@ -313,7 +313,7 @@
 	if (block_buf) {
 		ctx.ind_buf = block_buf;
 	} else {
-		retval = ext2fs_get_mem(fs->blocksize * 3, &ctx.ind_buf);
+		retval = ext2fs_get_array(3, fs->blocksize, &ctx.ind_buf);
 		if (retval)
 			return retval;
 	}
diff -ur e2fsprogs-1.40.2.orig/lib/ext2fs/bmap.c e2fsprogs-1.40.2/lib/ext2fs/bmap.c
--- e2fsprogs-1.40.2.orig/lib/ext2fs/bmap.c	2007-07-12 08:35:46.000000000 -0700
+++ e2fsprogs-1.40.2/lib/ext2fs/bmap.c	2007-11-06 04:41:51.000000000 -0800
@@ -158,7 +158,7 @@
 	addr_per_block = (blk_t) fs->blocksize >> 2;
 
 	if (!block_buf) {
-		retval = ext2fs_get_mem(fs->blocksize * 2, &buf);
+		retval = ext2fs_get_array(2, fs->blocksize, &buf);
 		if (retval)
 			return retval;
 		block_buf = buf;
diff -ur e2fsprogs-1.40.2.orig/lib/ext2fs/bmove.c e2fsprogs-1.40.2/lib/ext2fs/bmove.c
--- e2fsprogs-1.40.2.orig/lib/ext2fs/bmove.c	2007-06-30 05:58:34.000000000 -0700
+++ e2fsprogs-1.40.2/lib/ext2fs/bmove.c	2007-11-06 04:41:51.000000000 -0800
@@ -108,7 +108,7 @@
 	pb.alloc_map = alloc_map ? alloc_map : fs->block_map;
 	pb.flags = flags;
 	
-	retval = ext2fs_get_mem(fs->blocksize * 4, &block_buf);
+	retval = ext2fs_get_array(4, fs->blocksize, &block_buf);
 	if (retval)
 		return retval;
 	pb.buf = block_buf + fs->blocksize * 3;
diff -ur e2fsprogs-1.40.2.orig/lib/ext2fs/brel_ma.c e2fsprogs-1.40.2/lib/ext2fs/brel_ma.c
--- e2fsprogs-1.40.2.orig/lib/ext2fs/brel_ma.c	2007-06-30 05:58:34.000000000 -0700
+++ e2fsprogs-1.40.2/lib/ext2fs/brel_ma.c	2007-11-06 04:41:51.000000000 -0800
@@ -75,7 +75,8 @@
 	
 	size = (size_t) (sizeof(struct ext2_block_relocate_entry) *
 			 (max_block+1));
-	retval = ext2fs_get_mem(size, &ma->entries);
+	retval = ext2fs_get_array(max_block+1,
+		sizeof(struct ext2_block_relocate_entry), &ma->entries);
 	if (retval)
 		goto errout;
 	memset(ma->entries, 0, size);
diff -ur e2fsprogs-1.40.2.orig/lib/ext2fs/closefs.c e2fsprogs-1.40.2/lib/ext2fs/closefs.c
--- e2fsprogs-1.40.2.orig/lib/ext2fs/closefs.c	2007-06-30 05:58:34.000000000 -0700
+++ e2fsprogs-1.40.2/lib/ext2fs/closefs.c	2007-11-06 04:41:51.000000000 -0800
@@ -226,8 +226,7 @@
 		retval = ext2fs_get_mem(SUPERBLOCK_SIZE, &super_shadow);
 		if (retval)
 			goto errout;
-		retval = ext2fs_get_mem((size_t)(fs->blocksize *
-						 fs->desc_blocks),
+		retval = ext2fs_get_array(fs->blocksize, fs->desc_blocks,
 					&group_shadow);
 		if (retval)
 			goto errout;
diff -ur e2fsprogs-1.40.2.orig/lib/ext2fs/dblist.c e2fsprogs-1.40.2/lib/ext2fs/dblist.c
--- e2fsprogs-1.40.2.orig/lib/ext2fs/dblist.c	2007-06-30 05:58:34.000000000 -0700
+++ e2fsprogs-1.40.2/lib/ext2fs/dblist.c	2007-11-06 04:41:51.000000000 -0800
@@ -85,7 +85,8 @@
 	}
 	len = (size_t) sizeof(struct ext2_db_entry) * dblist->size;
 	dblist->count = count;
-	retval = ext2fs_get_mem(len, &dblist->list);
+	retval = ext2fs_get_array(dblist->size, sizeof(struct ext2_db_entry),
+		&dblist->list);
 	if (retval)
 		goto cleanup;
 	
diff -ur e2fsprogs-1.40.2.orig/lib/ext2fs/dupfs.c e2fsprogs-1.40.2/lib/ext2fs/dupfs.c
--- e2fsprogs-1.40.2.orig/lib/ext2fs/dupfs.c	2007-06-30 05:58:34.000000000 -0700
+++ e2fsprogs-1.40.2/lib/ext2fs/dupfs.c	2007-11-06 04:41:51.000000000 -0800
@@ -59,7 +59,7 @@
 		goto errout;
 	memcpy(fs->orig_super, src->orig_super, SUPERBLOCK_SIZE);
 
-	retval = ext2fs_get_mem((size_t) fs->desc_blocks * fs->blocksize,
+	retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize,
 				&fs->group_desc);
 	if (retval)
 		goto errout;
diff -ur e2fsprogs-1.40.2.orig/lib/ext2fs/ext2fs.h e2fsprogs-1.40.2/lib/ext2fs/ext2fs.h
--- e2fsprogs-1.40.2.orig/lib/ext2fs/ext2fs.h	2007-07-12 08:35:46.000000000 -0700
+++ e2fsprogs-1.40.2/lib/ext2fs/ext2fs.h	2007-11-06 04:41:51.000000000 -0800
@@ -965,6 +965,7 @@
 
 /* inline functions */
 extern errcode_t ext2fs_get_mem(unsigned long size, void *ptr);
+extern errcode_t ext2fs_get_array(unsigned long count, unsigned long size, void *ptr);
 extern errcode_t ext2fs_free_mem(void *ptr);
 extern errcode_t ext2fs_resize_mem(unsigned long old_size,
 				   unsigned long size, void *ptr);
@@ -1018,6 +1019,12 @@
 	memcpy(ptr, &pp, sizeof (pp));
 	return 0;
 }
+_INLINE_ errcode_t ext2fs_get_array(unsigned long count, unsigned long size, void *ptr)
+{
+	if (count && (-1UL)/count<size)
+		return EXT2_ET_NO_MEMORY; //maybe define EXT2_ET_OVERFLOW ?
+	return ext2fs_get_mem(count*size, ptr);
+}
 
 /*
  * Free memory
diff -ur e2fsprogs-1.40.2.orig/lib/ext2fs/fileio.c e2fsprogs-1.40.2/lib/ext2fs/fileio.c
--- e2fsprogs-1.40.2.orig/lib/ext2fs/fileio.c	2007-06-30 05:58:34.000000000 -0700
+++ e2fsprogs-1.40.2/lib/ext2fs/fileio.c	2007-11-06 04:41:51.000000000 -0800
@@ -65,7 +65,7 @@
 			goto fail;
 	}
 	
-	retval = ext2fs_get_mem(fs->blocksize * 3, &file->buf);
+	retval = ext2fs_get_array(3, fs->blocksize, &file->buf);
 	if (retval)
 		goto fail;
 
diff -ur e2fsprogs-1.40.2.orig/lib/ext2fs/icount.c e2fsprogs-1.40.2/lib/ext2fs/icount.c
--- e2fsprogs-1.40.2.orig/lib/ext2fs/icount.c	2007-06-30 05:58:34.000000000 -0700
+++ e2fsprogs-1.40.2/lib/ext2fs/icount.c	2007-11-06 04:41:51.000000000 -0800
@@ -237,7 +237,8 @@
 	printf("Icount allocated %u entries, %d bytes.\n",
 	       icount->size, bytes);
 #endif
-	retval = ext2fs_get_mem(bytes, &icount->list);
+	retval = ext2fs_get_array(icount->size, sizeof(struct ext2_icount_el),
+			 &icount->list);
 	if (retval)
 		goto errout;
 	memset(icount->list, 0, bytes);
diff -ur e2fsprogs-1.40.2.orig/lib/ext2fs/initialize.c e2fsprogs-1.40.2/lib/ext2fs/initialize.c
--- e2fsprogs-1.40.2.orig/lib/ext2fs/initialize.c	2007-06-30 05:58:34.000000000 -0700
+++ e2fsprogs-1.40.2/lib/ext2fs/initialize.c	2007-11-06 04:42:09.000000000 -0800
@@ -349,7 +349,7 @@
 
 	ext2fs_free_mem(&buf);
 
-	retval = ext2fs_get_mem((size_t) fs->desc_blocks * fs->blocksize,
+	retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize,
 				&fs->group_desc);
 	if (retval)
 		goto cleanup;
diff -ur e2fsprogs-1.40.2.orig/lib/ext2fs/inode.c e2fsprogs-1.40.2/lib/ext2fs/inode.c
--- e2fsprogs-1.40.2.orig/lib/ext2fs/inode.c	2007-06-30 05:58:34.000000000 -0700
+++ e2fsprogs-1.40.2/lib/ext2fs/inode.c	2007-11-06 04:41:51.000000000 -0800
@@ -90,8 +90,8 @@
 	fs->icache->cache_last = -1;
 	fs->icache->cache_size = 4;
 	fs->icache->refcount = 1;
-	retval = ext2fs_get_mem(sizeof(struct ext2_inode_cache_ent)
-				* fs->icache->cache_size,
+	retval = ext2fs_get_array(sizeof(struct ext2_inode_cache_ent),
+				fs->icache->cache_size,
 				&fs->icache->cache);
 	if (retval) {
 		ext2fs_free_mem(&fs->icache->buffer);
@@ -146,8 +146,8 @@
 		group_desc[scan->current_group].bg_inode_table;
 	scan->inodes_left = EXT2_INODES_PER_GROUP(scan->fs->super);
 	scan->blocks_left = scan->fs->inode_blocks_per_group;
-	retval = ext2fs_get_mem((size_t) (scan->inode_buffer_blocks * 
-					  fs->blocksize),
+	retval = ext2fs_get_array(scan->inode_buffer_blocks,
+					  fs->blocksize,
 				&scan->inode_buffer);
 	scan->done_group = 0;
 	scan->done_group_data = 0;
diff -ur e2fsprogs-1.40.2.orig/lib/ext2fs/irel_ma.c e2fsprogs-1.40.2/lib/ext2fs/irel_ma.c
--- e2fsprogs-1.40.2.orig/lib/ext2fs/irel_ma.c	2007-06-30 05:58:34.000000000 -0700
+++ e2fsprogs-1.40.2/lib/ext2fs/irel_ma.c	2007-11-06 04:41:51.000000000 -0800
@@ -90,21 +90,24 @@
 	irel->priv_data = ma;
 	
 	size = (size_t) (sizeof(ext2_ino_t) * (max_inode+1));
-	retval = ext2fs_get_mem(size, &ma->orig_map);
+	retval = ext2fs_get_array(max_inode+1, sizeof(ext2_ino_t),
+		&ma->orig_map);
 	if (retval)
 		goto errout;
 	memset(ma->orig_map, 0, size);
 
 	size = (size_t) (sizeof(struct ext2_inode_relocate_entry) *
 			 (max_inode+1));
-	retval = ext2fs_get_mem(size, &ma->entries);
+	retval = ext2fs_get_array((max_inode+1,
+		sizeof(struct ext2_inode_relocate_entry), &ma->entries);
 	if (retval)
 		goto errout;
 	memset(ma->entries, 0, size);
 
 	size = (size_t) (sizeof(struct inode_reference_entry) *
 			 (max_inode+1));
-	retval = ext2fs_get_mem(size, &ma->ref_entries);
+	retval = ext2fs_get_mem(max_inode+1,
+		sizeof(struct inode_reference_entry), &ma->ref_entries);
 	if (retval)
 		goto errout;
 	memset(ma->ref_entries, 0, size);
@@ -249,7 +252,8 @@
 	if (ref_ent->refs == 0) {
 		size = (size_t) ((sizeof(struct ext2_inode_reference) * 
 				  ent->max_refs));
-		retval = ext2fs_get_mem(size, &ref_ent->refs);
+		retval = ext2fs_get_array(ent->max_refs,
+			sizeof(struct ext2_inode_reference), &ref_ent->refs);
 		if (retval)
 			return retval;
 		memset(ref_ent->refs, 0, size);
diff -ur e2fsprogs-1.40.2.orig/lib/ext2fs/openfs.c e2fsprogs-1.40.2/lib/ext2fs/openfs.c
--- e2fsprogs-1.40.2.orig/lib/ext2fs/openfs.c	2007-06-30 05:58:34.000000000 -0700
+++ e2fsprogs-1.40.2/lib/ext2fs/openfs.c	2007-11-06 04:41:51.000000000 -0800
@@ -276,7 +276,7 @@
 					       blocks_per_group);
 	fs->desc_blocks = ext2fs_div_ceil(fs->group_desc_count,
 					  EXT2_DESC_PER_BLOCK(fs->super));
-	retval = ext2fs_get_mem(fs->desc_blocks * fs->blocksize,
+	retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize,
 				&fs->group_desc);
 	if (retval)
 		goto cleanup;
diff -ur e2fsprogs-1.40.2.orig/lib/ext2fs/res_gdt.c e2fsprogs-1.40.2/lib/ext2fs/res_gdt.c
--- e2fsprogs-1.40.2.orig/lib/ext2fs/res_gdt.c	2007-06-30 05:58:34.000000000 -0700
+++ e2fsprogs-1.40.2/lib/ext2fs/res_gdt.c	2007-11-06 04:41:51.000000000 -0800
@@ -73,7 +73,7 @@
 
 	sb = fs->super;
 
-	retval = ext2fs_get_mem(2 * fs->blocksize, &dindir_buf);
+	retval = ext2fs_get_array(2, fs->blocksize, &dindir_buf);
 	if (retval)
 		goto out_free;
 	gdt_buf = (__u32 *)((char *)dindir_buf + fs->blocksize);

pgp6ojtO12l3Y.pgp
Description: PGP signature