ericonr
/
util-linux
mirror of https://github.com/ericonr/util-linux.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

libblkid: Avoid OOB access on illegal ZFS superblocks 

64 bit systems can trigger an out of boundary access while performing
a ZFS superblock probe.

This happens due to a possible integer overflow while calculating
the remaining available bytes. The variable is of type "int" and the
string length is allowed to be larger than INT_MAX, which means that
avail calculation can overflow, circumventing the "avail < 0" check and
therefore accessing memory outside the "buff" array later on.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
This commit is contained in:
Tobias Stoeckmann 2016-08-28 21:15:59 +02:00 committed by Karel Zak
parent 1037269fec
commit 8fa57ab0b5
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libblkid/src/superblocks/zfs.c
View File

@ -112,7 +112,7 @@ static void zfs_extract_guid_name(blkid_probe pr, loff_t offset)
nvs->nvs_type = be32_to_cpu(nvs->nvs_type);
nvs->nvs_strlen = be32_to_cpu(nvs->nvs_strlen);
if (nvs->nvs_strlen > UINT_MAX - sizeof(*nvs))
if (nvs->nvs_strlen > INT_MAX - sizeof(*nvs))
break;
avail -= nvs->nvs_strlen + sizeof(*nvs);
DBG(LOWPROBE, ul_debug("nvstring: type %u string %*s\n", nvs->nvs_type,