Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master
Commits on Feb 16, 2015
  1. Merge branch 'maint' into next

    authored
Commits on Feb 11, 2015
  1. libext2fs: fix potential buffer overflow in closefs()

    authored
    The bug fix in f66e6ce: "libext2fs: avoid buffer overflow if
    s_first_meta_bg is too big" had a typo in the fix for
    ext2fs_closefs().  In practice most of the security exposure was from
    the openfs path, since this meant if there was a carefully crafted
    file system, buffer overrun would be triggered when the file system was
    opened.
    
    However, if corrupted file system didn't trip over some corruption
    check, and then the file system was modified via tune2fs or debugfs,
    such that the superblock was marked dirty and then written out via the
    closefs() path, it's possible that the buffer overrun could be
    triggered when the file system is closed.
    
    Also clear up a signed vs unsigned warning while we're at it.
    
    Thanks to Nick Kralevich <nnk@google.com> for asking me to look at
    compiler warning in the code in question, which led me to notice the
    bug in f66e6ce.
    
    Addresses: CVE-2015-1572
    
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Commits on Jan 29, 2015
  1. e2fsck: salvage under-sized dirents by removing them

    Darrick J. Wong authored committed
    If the directory processing code ends up pointing to a directory entry
    that's so close to the end of the block that there's not even space
    for a rec_len/name_len, just substitute dummy values that will force
    e2fsck to extend the previous entry to cover the remaining space.  We
    can't use the helper methods to extract rec_len because that's reading
    off the end of the buffer.
    
    This isn't an issue with non-inline directories because the directory
    check buffer is zero-extended so that fsck won't blow up.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Commits on Jan 28, 2015
  1. e2fsck: improve the inline directory detector

    Darrick J. Wong authored committed
    Strengthen the checks that guess if the inode we're looking at is an
    inline directory.  The current check sweeps up any inline inode if
    its length is a multiple of four; now we'll at least try to see if
    there's the beginning of a valid directory entry.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  2. e2fsck: inspect inline dir data as two directory blocks

    Darrick J. Wong authored committed
    The design of inline directories (apparently) calls for the i_block[]
    region and the EA regions to be treated as if they were two separate
    blocks of dirents.  Effectively this means that it is impossible for a
    directory entry to straddle both areas.  e2fsck doesn't enforce this,
    so teach it to do so.  e2fslib already knows to do this....
    
    Cc: Zheng Liu <gnehzuil.liu@gmail.com>
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  3. e2fsck: decrement bad count _after_ remapping a duplicate block

    Darrick J. Wong authored committed
    Decrement the bad count *after* we've shown that (a) we can allocate a
    replacement block and (b) remap the file block.  Unfortunately,
    the only way to tell if the remapping succeeded is to wait until the
    next clone_file_block() call or block_iterate3() returns.
    
    Otherwise, there's a corruption error: we decrease the badcount once in
    preparation to remap, then the remap fails (either we can't find a
    replacement block or we have to split the extent tree and can't find a
    new extent block), so we delete the file, which decreases the badcount
    on the block a second time.  Later on e2fsck will think that it's
    straightened out all the duplicate blocks, which isn't true.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Commits on Jan 27, 2015
  1. e2fsck: handle multiple *ind block collisions with critical metadata

    Darrick J. Wong authored committed
    An earlier patch tried to detect indirect blocks that conflicted with
    critical FS metadata for the purpose of preventing corrections being
    made to those indirect blocks.  Unfortunately, that patch cannot
    handle more than one conflicting *ind block per file; therefore, use
    the ref_block parameter to test the metadata block map to decide if
    we need to avoid fixing the *ind block when we're iterating the
    block's entries.  (We have to iterate the block to capture any blocks
    that the block points to, as they could be in use.)
    
    As a side note, in 1B we'll reallocate all those conflicting *ind
    blocks and restart fsck, so the contents will be checked eventually.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  2. e2fsck: fix message when the journal is deleted and regenerated

    Darrick J. Wong authored committed
    When we recreate the journal, don't say that the FS "is now ext3
    again", since we could be fixing a damaged ext4 FS journal, which does
    not magically convert the FS back to ext3.
    
    [ Use "journaled" instead of "journalled", and also fix the message we
      print when deleting the journal --Ted ]
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  3. e2fsck: on read error, don't rewrite blocks past the end of the fs

    Darrick J. Wong authored committed
    If e2fsck encounters a read error on a block past the end of the
    filesystem, don't bother trying to "rewrite" the block.  We might
    still want to re-try the read to capture FS data marooned past the end
    of the filesystem, but in that case e2fsck ought to move the block
    back inside the filesystem.
    
    This enables e2fuzz to detect writes past the end of the FS due to
    software bugs.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  4. e2fsck: clear i_block[] when there are too many bad mappings on a spe…

    Darrick J. Wong authored committed
    …cial inode
    
    If we decide to clear a special inode because of bad mappings, we need
    to zero the i_block array.  The clearing routine depends on setting
    i_links_count to zero to keep us from re-checking the block maps,
    but that field isn't checked for special inodes.  Therefore, if we
    haven't erased the mappings, check_blocks will restart fsck and fsck
    will try to check the blocks again, leading to an infinite loop.
    
    (This seems easy to trigger if the bootloader inode extent map is
    corrupted.)
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  5. tune2fs: direct user to resize2fs for 64bit conversion

    Darrick J. Wong authored committed
    If the user tries to enable or disable the 64bit feature via tune2fs,
    tell them how to use resize2fs to effect the conversion.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  6. tune2fs: abort when trying to enable/disable metadata_csum on mounted fs

    Darrick J. Wong authored committed
    Earlier, I tried to make tune2fs abort if the user tried to enable or
    disable metadata_csum on a mounted FS, but forgot the exit() call.
    Supply it now.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  7. tune2fs: disable csum verification before resizing inode

    Darrick J. Wong authored committed
    When we're turning on metadata checksumming /and/ resizing the inode
    at the same time, disable checksum verification during the
    resize_inode() call because the subroutines it calls will try to
    verify the checksums (which have not yet been set), causing the
    operation to fail unnecessarily.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  8. resize2fs: fix regression test to not depend on ext4.ko being loaded

    Darrick J. Wong authored committed
    The behavior of the r_fixup_lastbg_big test varies depending on
    whether or not ext4.ko is loaded and supports lazy_itable_init.  This
    makes checking the bg flags after resize2fs hard to predict, so put in
    a way to force resize2fs to zero the inode tables, and compare the
    output based on lazy_itable_init == 0.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  9. libext2fs: fix tdb.c mmap leak

    Darrick J. Wong authored committed
    When undoing an expansion of an mmap'd database while cancelling a
    transaction, the tdb code prematurely decreases the variable that
    tracks the file size, which leads to a region leak during the
    subsequent unmap.  Fix this by maintaining a separate counter for the
    region size.
    
    (This is probably unnecessary since e2undo was the only user of tdb
    transactions, but I suppose we could be proactive.)
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  10. libext2fs: strengthen i_extra_isize checks when reading/writing xattrs

    Darrick J. Wong authored committed
    Strengthen the i_extra_isize checks to look for obviously too-small
    values before trying to operate on inode EAs.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  11. libext2fs: avoid pointless EA block allocation

    Darrick J. Wong authored committed
    Use qsort to move the inlinedata attribute to the front of the list
    and the empty entries to the end.  Then we can use handle->count to
    decide if we're done writing xattrs, which helps us to avoid the
    situation where we're midway through the attribute list, so we
    allocate an EA block to store more, but have no idea that there's
    actually nothing left in the list.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  12. libext2fs: initialize i_extra_isize when writing EAs

    Darrick J. Wong authored committed
    If i_extra_isize is zero when we try to write extended attributes,
    we'll end up writing the EA magic into the i_extra_isize field, which
    causes a subsequent crash on big endian systems (when we try to write
    0xEA02 bytes past the inode!).  Therefore when the field is zero, set
    i_extra_isize to the desired extra_isize size, zero those bytes, and
    write the EAs after the end of the extended inode.
    
    v2: Don't bother if we have 128b inodes, and ensure that the value
    is 32b-aligned so that the EA magic starts on a 32b boundary.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  13. debugfs: fix crash in ea_set argument handling

    Darrick J. Wong authored committed
    Fix an incorrect check in ea_set that would crash debugfs if someone
    runs 'ea_set / foo.bar' (i.e. with no value argument)
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  14. debugfs: document new commands

    Darrick J. Wong authored committed
    Document the new journal and xattr commands in the debugfs manpage.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  15. misc: fix minor testcase problems

    Darrick J. Wong authored committed
    Don't write debugfs headers to stdout...
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Commits on Jan 26, 2015
  1. Reserve the codepoints for the new INCOMPAT feature ENCRYPT

    authored
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Commits on Jan 23, 2015
  1. @ensc

    buildsystem: use 'chmod a-w' instead of 'chmod -w'

    ensc authored committed
    'chmod -w' is not portable and can break the build:
    
    | chmod: chmod: ss_err.h: new permissions are r--rw-r--, not r--r--r--
    | ss_err.h: new permissions are r--rw-r--, not r--r--r--
    | chmod: ss_err.c: new permissions are r--rw-r--, not r--r--r--
    | make[2]: *** [ss_err.h] Error 1
    
    This happens because 'chmod -w' is affected by umask. Issue can be
    reproduced e.g. by
    
    $ mkdir /tmp/foo
    $ setfacl -m d:m:rwx /tmp/foo
    
    $ umask 022
    $ touch /tmp/foo/x
    $ chmod -w /tmp/foo/x
    chmod: /tmp/foo/x: new permissions are r--rw-r--, not r--r--r--
    
    Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  2. @teythoon

    e2fsck: fix corruption of Hurd filesystems

    teythoon authored committed
    Previously, e2fsck accessed the field osd2.linux2.l_i_file_acl_high
    field without checking that the filesystem is indeed created for
    Linux.  This lead to e2fsck constantly complaining about certain
    nodes:
    
    i_file_acl_hi for inode XXX (/dev/console) is 32, should be zero.
    
    By "correcting" this problem, e2fsck would clobber the field
    osd2.hurd2.h_i_mode_high.
    
    Properly guard access to the OS dependent fields.
    
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Commits on Jan 19, 2015
  1. e2fuzz: fix clang warning

    Darrick J. Wong authored committed
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  2. Merge branch 'maint' into next

    authored
  3. Fix clang warning and a resource leak

    Darrick J. Wong authored committed
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Commits on Jan 13, 2015
  1. e2fsck: close the progress_fd in the logfile child process

    authored
    If e2fsck.conf's logging feature is enabled, and e2fsck is being run
    via systemd-fsck, there will be a deadlock since systemd-fsck is
    waiting for progress_fd pipe to be closed, instead of waiting for the
    fsck process to exit --- and so the logfile child process won't exit
    until it can write out the logfile, and systemd won't continue the
    boot process so that the file system can be remounted read-write.
    Oops.
    
    Addresses-Debian-Bug: #775234
    
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Commits on Dec 26, 2014
  1. Merge branch 'maint' into next

    authored
    Conflicts:
    	lib/ext2fs/inode.c
  2. libext2fs: add sanity check for an invalid itable_used value in inode…

    authored
    … scan code
    
    If the number of unused inodes is greater than number of inodes a
    block group, this can cause an e2fsck -n run of the file system to
    crash.
    
    We should add more checks to e2fsck to detect this case directly, but
    this will at least protect progams (tune2fs, dump, etc.) which use the
    inode_scan abstraction from crashing on an invalid file system.
    
    Addresses-Debian-Bug: #773795
    
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Commits on Dec 15, 2014
  1. tests: test resize2fs 32->64 and 64->32bit conversion code

    Darrick J. Wong authored committed
    Add some simple tests to check that flex_bg and meta_bg filesystems
    can be converted between 32 and 64bit layouts.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  2. resize2fs: convert fs to and from 64bit mode

    Darrick J. Wong authored committed
    resize2fs does its magic by loading a filesystem, duplicating the
    in-memory image of that fs, moving relevant blocks out of the way of
    whatever new metadata get created, and finally writing everything back
    out to disk.  Enabling 64bit mode enlarges the group descriptors,
    which makes resize2fs a reasonable vehicle for taking care of the rest
    of the bookkeeping requirements, so add to resize2fs the ability to
    convert a filesystem to 64bit mode and back.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Cc: TR Reardon <thomas_reardon@hotmail.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  3. libext2fs: speed up the max extent depth api call

    Darrick J. Wong authored committed
    The maximum extent tree depth really only depends on the filesystem
    block size, so cache the last result if possible.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  4. Bump version.h for an experimental release

    authored
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  5. resize2fs: don't play stupid games with the block count

    Darrick J. Wong authored committed
    While it may be true that playing games with old_fs' block count
    during a grow operation shuts up a bunch of warnings, resize2fs
    doesn't actually expand the group descriptor array to match the size
    we're artificially stuffing into old_fs, which means that if we
    actually need to allocate a block out of the larger fs (i.e. we're in
    desperation mode), ext2fs_block_alloc_stats2() scribbles on the heap,
    leading to crashes if you're lucky and FS corruption if not.
    
    So, rip that piece out and turn off com_err warnings properly and add
    a test case to deal with growing a nearly full filesystem.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Something went wrong with that request. Please try again.