e2fsprogs -- buffer overflow if s_first_meta_bg too big

ID 0F488B7B-BBB9-11E4-903C-080027EF73EC
Type freebsd
Reporter FreeBSD
Modified 2014-08-09T00:00:00


Theodore Ts'o reports:

If s_first_meta_bg is greater than the of number block group descriptor blocks, then reading or writing the block group descriptors will end up overruning the memory buffer allocated for the descriptors. The finding is credited to a vulnerability report from Jose Duart of Google Security Team <jduart AT google.com> and was reported through oCERT-2015-002.