diff options
| author | Tobias Stoeckmann | 2016-08-28 21:15:59 +0200 |
|---|---|---|
| committer | Karel Zak | 2016-08-29 13:22:24 +0200 |
| commit | 8fa57ab0b5696031da800e243def32bc5265ff6d (patch) | |
| tree | 749c311f55e11d3460b0b6d4d1c58e2ed0ae2b1a /libblkid/src/superblocks/zfs.c | |
| parent | libfdisk: Distinguish between first LBA sector and partition (diff) | |
| download | kernel-qcow2-util-linux-8fa57ab0b5696031da800e243def32bc5265ff6d.tar.gz kernel-qcow2-util-linux-8fa57ab0b5696031da800e243def32bc5265ff6d.tar.xz kernel-qcow2-util-linux-8fa57ab0b5696031da800e243def32bc5265ff6d.zip | |
libblkid: Avoid OOB access on illegal ZFS superblocks
64 bit systems can trigger an out of boundary access while performing
a ZFS superblock probe.
This happens due to a possible integer overflow while calculating
the remaining available bytes. The variable is of type "int" and the
string length is allowed to be larger than INT_MAX, which means that
avail calculation can overflow, circumventing the "avail < 0" check and
therefore accessing memory outside the "buff" array later on.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Diffstat (limited to 'libblkid/src/superblocks/zfs.c')
| -rw-r--r-- | libblkid/src/superblocks/zfs.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libblkid/src/superblocks/zfs.c b/libblkid/src/superblocks/zfs.c index b6ffac537..c41f76990 100644 --- a/libblkid/src/superblocks/zfs.c +++ b/libblkid/src/superblocks/zfs.c @@ -112,7 +112,7 @@ static void zfs_extract_guid_name(blkid_probe pr, loff_t offset) nvs->nvs_type = be32_to_cpu(nvs->nvs_type); nvs->nvs_strlen = be32_to_cpu(nvs->nvs_strlen); - if (nvs->nvs_strlen > UINT_MAX - sizeof(*nvs)) + if (nvs->nvs_strlen > INT_MAX - sizeof(*nvs)) break; avail -= nvs->nvs_strlen + sizeof(*nvs); DBG(LOWPROBE, ul_debug("nvstring: type %u string %*s\n", nvs->nvs_type, |