It is possible to perform out of boundary read accesses due to
insufficient boundary checks in probe_hfsplus.
The first issue occurs if the leaf count in a B-node is too
small. The second happens while parsing a unicode description which
is longer than 255 UTF-8 characters. The length is stored in a 16 bit
integer, but the array in the struct is limited to 255 * 2, which is
in sync with Apple's Open Source HFS+ implementation (HFSUniStr255).
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Following condition can be true if minix file system is corrupt, and versio
number is found to be greater than 3. It is fair to say described scenario
is unlikely.
libblkid/src/superblocks/minix.c:107:13: warning: variable 'zone_size' is
used uninitialized whenever
'if' condition is false [-Wsometimes-uninitialized]
} else if (version == 3) {
^~~~~~~~~~~~
libblkid/src/superblocks/minix.c:121:6: note: uninitialized use occurs here
if (zone_size != 0 || ninodes == 0 || ninodes == UINT32_MAX)
^~~~~~~~~
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
libblkid/src/superblocks/drbdmanage.c:38:42: warning: too long
initializer-string for array of char(no space for nul char)
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
The SEND_UEVENT=yes|no line is not properly parsed, because the offset
jumps one byte too far behind the equal sign. Therefore, every
configuration that contains the line "SEND_UEVENT=yes" still does not
send an uevent.
The fix is simple: adjust the offset to be "12" instead of "13".
Else these variables will cause following warning:
libblkid/src/superblocks/superblocks.c:165:29: warning: symbol
'superblocks_drv' was not declared. Should it be static?
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
text-utils/tailf.c:69:21: warning: Using plain integer as NULL pointer
Since many 'struct option' has used zero as NULL make them more readable in
same go by reindenting, and using named argument requirements.
Reference: https://lwn.net/Articles/93577/
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
The BEFS prober is quite trusting of whatever data is fed to it and
performs almost no bounds checks. There don't seem to be any
out-of-bounds writes as far as I can tell, but there are many ways a
corrupted image could cause libblkid to read OOB and segfault, or hang
in an infinite loop.
This fix makes a few sanity-checks of the superblock, add bounds checks
wherever they seem needed, and crudely checks for cycles in the B+ tree.
Signed-off-by: Alden Tondettar <alden.tondettar@gmail.com>
If a GUID Partition Table claims to have more than 2**25 entries, or if the
size of each entry is not exactly 128 bytes, libblkid can read out of bounds
and segfault. Perform the appropriate checks.
[kzak@redhat.com: - fix typo]
Signed-off-by: Alden Tondettar <alden.tondettar@gmail.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
The NTFS prober does not validate certain fields in struct file_attribute,
and could attempt to read the disk label from outside the space allocated
for the Master File Table. Perform the appropriate checks.
Note that one variable (attr_off) is now 64-bit, so a check for integer
overflow has been removed as unneeded/confusing.
Signed-off-by: Alden Tondettar <alden.tondettar@gmail.com>
A corrupted ZFS filesystem can trigger 32-bit endian-conversions of
unintended memory locations in zfs_extract_guid_name(), in several ways:
* The variable "left" (number of bytes remaining in the buffer) does not
account for the 12 bytes of the nvlist header.
* The field nvp->nvp_namelen (name length in name/value pair) is rounded
up to the nearest multiple of 4, but only the unrounded size is checked.
* The fields nvs->nvs_type, nvs_strlen, etc. are modified _before_ checking
if they are within bounds.
* A negative value of nvp->nvp_namelen will bypass the check that
nvp->nvp_namelen fits into nvp->nvp_size (size of name/value pair).
This allows for mangling of locations up to 12 + 3 + 8 == 23
bytes beyond the end of stack-based buff[4096], and up to 2**31 bytes
before its beginning.
Furthermore some debugging messages are printed from unchecked memory
locations, possibly resulting in OOB reads or setuid programs leaking
sensitive data when LIBBLKID_DEBUG is set.
This fix attempts to correct all of these problems. It also eliminates the
stack-based buffer (in case anything else was missed) and refactors things
a bit to (hopefully) make it easier to spot any mistakes.
Signed-off-by: Alden Tondettar <alden.tondettar@gmail.com>
The usual way is to use ioctl to ask block device for sector size, but
this is useless for disk images (regular files). And the default
(512-bytes) may be pretty wrong for disk images from 4K disks. Let's
support a way how to specify proper sector size.
Signed-off-by: Karel Zak <kzak@redhat.com>
Swap devices with specific values in the uuid can look like minix
devices to blkid. Add an extra check to make sure the state of the
filesystem has valid state flags.
A couple of offending swap uuids include:
35f1f264-137f-471a-bc85-acc9f4bc04a3
35f1f264-7f13-471a-bc85-acc9f4bc04a3
35f1f264-138f-471a-bc85-acc9f4bc04a3
35f1f264-8f13-471a-bc85-acc9f4bc04a3
Without this change a swap device with any of those uuids would be
detected as minix and swap by blkid.
Signed-off-by: Nate Clark <nate@neworld.us>
fsck.minix performs the same sanity checks on all versions of the
superblock. Update the probe to perform the same sanity checks so it is
less likely a different type of filesystem will be identified as minix.
Signed-off-by: Nate Clark <nate@neworld.us>
All of the types in the minix super block are unsigned but in
probe_minix they were being treated as signed. This would cause some of
the extra sanity checks to pass on a non minix device. The types were
updated to match the return types of the helper functions in
disk-utils/minix_programs.h
This can be checked by creating a swap partition with one of these UUIDs
35f1f264-2468-471a-bc85-acc9f4bc04a3
35f1f264-6824-471a-bc85-acc9f4bc04a3
35f1f264-2478-471a-bc85-acc9f4bc04a3
35f1f264-7824-471a-bc85-acc9f4bc04a3
Prior to this change they would all be considered minix and swap by
blkid.
Signed-off-by: Nate Clark <nate@neworld.us>
libsmartcols/samples/fromfile.c:59:2: warning: passing argument 3 of 'string_to_bitmask' from incompatible pointer type
text-utils/pg.c:79:0: warning: "TABSIZE" redefined
libblkid/src/read.c:455:13: warning: 'debug_dump_dev' defined but not used [-Wunused-function]
libblkid/src/probe.c:769:13: warning: unused function 'cdrom_size_correction' [-Wunused-function]
/usr/include/sys/termios.h:3:2: warning: "this file includes <sys/termios.h> which is deprecated, use <termios.h> instead" [-W#warnings]
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
Make the publicly-visible crc32 library functions prefixed by ul_, such
as crc32() -> ul_crc32().
This is because it clashes with the crc32() function from zlib.
For newer versions of glib (2.50+) zlib and libblkid are required
dependencies and otherwise results in build failure when building
statically.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
A strlen() call can lead to out of boundary read access if the
superblock in question has no nul-bytes after the string. This
could be avoided by using strnlen() but the calls in question
merely existed to check if the string length is not 0.
By changing the calls as proposed with this diff, these files are
in sync with other superblock files, which do exactly the same.
It's possible to use boot sector and empty MBR on LVM physical volume
to make LVM disk bootable. In this case MBR should be ignored and disk
reported as LVM.
Just for the record, this is ugly non-default LVM setup maintained for
backward compatibility (yes, LVM guys don't like it too).
Unfortunately people still use it. The proper way is to use regular
partitioned disk.
Reported-by: Xen <list@xenhideout.nl>
Signed-off-by: Karel Zak <kzak@redhat.com>
64 bit systems can trigger an out of boundary access while performing
a ZFS superblock probe.
This happens due to a possible integer overflow while calculating
the remaining available bytes. The variable is of type "int" and the
string length is allowed to be larger than INT_MAX, which means that
avail calculation can overflow, circumventing the "avail < 0" check and
therefore accessing memory outside the "buff" array later on.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
The oclint was complaining 'empty do/while statement' that turned out to be
true and I started to think it is best to use the same DBG() macro as in
other source files for this library.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Move negative and positive testing of 'has' variable to top level, and test
flag bit mask on second level. This way the 'has' needs to be checked only
once.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
This is extension to the patch 7164a1c34d.
We also need to detect non-empty recursion in the EBR chain. It's
possible to create standard valid logical partitions and in the last one
points back to the EBR chain. In this case all offsets will be non-empty.
Unfortunately, it's valid to create logical partitions that are not in
the "disk order" (sorted by start offset). So link somewhere back is
valid, but this link cannot points to already existing partition
(otherwise we will see recursion).
This patch forces libblkid to ignore duplicate logical partitions, the
duplicate chain segment is interpreted as non-data segment, after 100
iterations with non-data segments it will break the loop -- no memory
is allocated in this case by the loop.
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1349536
References: http://seclists.org/oss-sec/2016/q3/40
Signed-off-by: Karel Zak <kzak@redhat.com>
If the extended partition starts at zero LBA then MBR is interpreted
as EBR and all is recursively parsed... result is out-of-memory.
MBR --extended-partition--> EBR --> MBR --> ENB --> MBR ...
Note that such PT is not possible to create by standard partitioning
tools.
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1349536
Signed-off-by: Karel Zak <kzak@redhat.com>
Drives with 512 and 4K sectors have different offset for
metadata signature. Without signature detected on 4Kn drives
those drives will not be recognized as raid member. This
patch adds checking for IMSM signature for 4Kn drives.
Signed-off-by: Alexey Obitotskiy <aleksey.obitotskiy@intel.com>
The bytes variable is read from the file system to probe and must be
checked before used as length parameter in the crc32 call.
The following problems may occur here:
- bytes smaller than sumoff + 4: underflow in length calculation
- bytes larger than remaining space in sb: overflow of buffer
This fixes a problem where an encrypted volume had the correct magic
values 0x3434 at offset 0x406 and the following uint16_t (which is
read into the nilfs_super_block.s_bytes struct) was parsed as 1.
Then crc32 was called with the length value 18446744073709551597
causing a segmentation fault.
[kzak@redhat.com: - fix probe_nilfs2() return code]
Signed-off-by: Karel Zak <kzak@redhat.com>
Fix various typos in error messages, warnings, debug strings,
comments and names of static functions.
Signed-off-by: Sebastian Rasmussen <sebras@gmail.com>
Let's try to use symlink:
# ls -la /dev/block/8\:1
# lrwxrwxrwx 1 root root 7 May 25 16:42 /dev/block/8:1 -> ../sda1
# blkid /dev/block/8:1
/dev/block/8:3: LABEL="HOME" UUID="196972ad-3b13-4bba-ac54-4cb3f7b409a4" TYPE="ext4" PARTUUID="6073277f-87bc-43ff-bcfd-724c4484a63a"
unfortunately the symlink is stored to the cache:
<device DEVNO="0x0803" TIME="1464253300.715279" LABEL="HOME" UUID="196972ad-3b13-4bba-ac54-4cb3f7b409a4" TYPE="ext4" PARTUUID="6073277f-87bc-43ff-bcfd-724c4484a63a">/dev/block/8:3</device>
next time if you ask for LABEL=HOME the answer will be /dev/block/8:3
rather than /dev/sda3.
It seems better to canonicalize the paths we store to the cache.
Unfortunately if you ask for /dev/block/8:3 then you probably expect
that blkid_dev_devname() returns the same path. This patch introduces
dev->bid_xname, this is the path used by application (and never stored
in the cache).
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1332779
Signed-off-by: Karel Zak <kzak@redhat.com>
It seems too tricky to get a real size of the data track on hybrid
disks with audio+data. It seems overkill to analyze all header in
libblkid and on some disks it's probably possible to get I/O error
almost everywhere due to crazy copy protection etc.
Signed-off-by: Karel Zak <kzak@redhat.com>
This reverts commit a14cc9a504.
We need a better way (probably analyze track ioctls CDROMREADTOCHDR
and CDROMREADTOCENTRY) to get also proper track size.
The original patch works only if data track is the last track.
Signed-off-by: Karel Zak <kzak@redhat.com>
.. and read last session if probing offset is not specified.
udev uses cdrom_id to get last session offset, so people don't see a
problem with hybrid media (audio+data), but if you execute blkid on
command line (without -O <offset>) then you get I/O errors.
It seems that we can use the same way as kernel filesystem iso9960
driver when session= mount option is not specified ... just use
CDROMMULTISESSION ioctl to get last session offset and probe this last
session rather than all medium.
Signed-off-by: Karel Zak <kzak@redhat.com>
Linux kernel reports devices greater than area readable by read(2).
The readable area is usually 2-3 CD blocks smaller (CD block is
2048-bytes) than size returned by BLKGETSIZE. This patch checks for
this issues to avoid I/O errors in probing functions.
Reported-by: Thomas Schmitt <scdbackup@gmx.net>
Signed-off-by: Karel Zak <kzak@redhat.com>
Ruediger Meier
Karel Zak
Tobias Stoeckmann
Sami Kerola
Alden Tondettar
Nate Clark
Sébastien Helleu
Gustavo Zacarias
Rostislav Skudnov
Alexey Obitotskiy
Torsten Hilbrich
Sebastian Rasmussen