libblkid: Avoid OOB access on illegal ZFS superblocks
64 bit systems can trigger an out of boundary access while performing a ZFS superblock probe. This happens due to a possible integer overflow while calculating the remaining available bytes. The variable is of type "int" and the string length is allowed to be larger than INT_MAX, which means that avail calculation can overflow, circumventing the "avail < 0" check and therefore accessing memory outside the "buff" array later on. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
This commit is contained in:
parent
1037269fec
commit
8fa57ab0b5
|
@ -112,7 +112,7 @@ static void zfs_extract_guid_name(blkid_probe pr, loff_t offset)
|
|||
|
||||
nvs->nvs_type = be32_to_cpu(nvs->nvs_type);
|
||||
nvs->nvs_strlen = be32_to_cpu(nvs->nvs_strlen);
|
||||
if (nvs->nvs_strlen > UINT_MAX - sizeof(*nvs))
|
||||
if (nvs->nvs_strlen > INT_MAX - sizeof(*nvs))
|
||||
break;
|
||||
avail -= nvs->nvs_strlen + sizeof(*nvs);
|
||||
DBG(LOWPROBE, ul_debug("nvstring: type %u string %*s\n", nvs->nvs_type,
|
||||
|
|
Loading…
Reference in New Issue