You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
47 lines
2.0 KiB
47 lines
2.0 KiB
From 7e1c9da4773237e368bdc0539ef91d55ef19806c Mon Sep 17 00:00:00 2001 |
|
From: Tobias Stoeckmann <tobias@stoeckmann.org> |
|
Date: Sun, 28 Aug 2016 21:15:59 +0200 |
|
Subject: [PATCH 114/116] libblkid: Avoid OOB access on illegal ZFS superblocks |
|
|
|
64 bit systems can trigger an out of boundary access while performing |
|
a ZFS superblock probe. |
|
|
|
This happens due to a possible integer overflow while calculating |
|
the remaining available bytes. The variable is of type "int" and the |
|
string length is allowed to be larger than INT_MAX, which means that |
|
avail calculation can overflow, circumventing the "avail < 0" check and |
|
therefore accessing memory outside the "buff" array later on. |
|
|
|
[kzak@redhat.com (rhel7): - remove unused swab_magic] |
|
|
|
Upstream: https://github.com/karelzak/util-linux/commit/8fa57ab0b5696031da800e243def32bc5265ff6d |
|
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1392661 |
|
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> |
|
Signed-off-by: Karel Zak <kzak@redhat.com> |
|
--- |
|
libblkid/src/superblocks/zfs.c | 3 +-- |
|
1 file changed, 1 insertion(+), 2 deletions(-) |
|
|
|
diff --git a/libblkid/src/superblocks/zfs.c b/libblkid/src/superblocks/zfs.c |
|
index ff12fa6..2c7b4b7 100644 |
|
--- a/libblkid/src/superblocks/zfs.c |
|
+++ b/libblkid/src/superblocks/zfs.c |
|
@@ -115,7 +115,7 @@ static void zfs_extract_guid_name(blkid_probe pr, loff_t offset) |
|
|
|
nvs->nvs_type = be32_to_cpu(nvs->nvs_type); |
|
nvs->nvs_strlen = be32_to_cpu(nvs->nvs_strlen); |
|
- if (nvs->nvs_strlen > UINT_MAX - sizeof(*nvs)) |
|
+ if (nvs->nvs_strlen > INT_MAX - sizeof(*nvs)) |
|
break; |
|
avail -= nvs->nvs_strlen + sizeof(*nvs); |
|
nvdebug("nvstring: type %u string %*s\n", nvs->nvs_type, |
|
@@ -201,7 +201,6 @@ static int find_uberblocks(const void *label, loff_t *ub_offset, int *swap_endia |
|
* #4 (@ 132kB) is the first one written on a new filesystem. */ |
|
static int probe_zfs(blkid_probe pr, const struct blkid_idmag *mag) |
|
{ |
|
- uint64_t swab_magic = swab64(UBERBLOCK_MAGIC); |
|
int swab_endian = 0; |
|
struct zfs_uberblock *ub; |
|
loff_t offset, ub_offset = 0; |
|
-- |
|
2.9.3
|
|
|