From 7e1c9da4773237e368bdc0539ef91d55ef19806c Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Sun, 28 Aug 2016 21:15:59 +0200 Subject: [PATCH 114/116] libblkid: Avoid OOB access on illegal ZFS superblocks 64 bit systems can trigger an out of boundary access while performing a ZFS superblock probe. This happens due to a possible integer overflow while calculating the remaining available bytes. The variable is of type "int" and the string length is allowed to be larger than INT_MAX, which means that avail calculation can overflow, circumventing the "avail < 0" check and therefore accessing memory outside the "buff" array later on. [kzak@redhat.com (rhel7): - remove unused swab_magic] Upstream: https://github.com/karelzak/util-linux/commit/8fa57ab0b5696031da800e243def32bc5265ff6d Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1392661 Signed-off-by: Tobias Stoeckmann Signed-off-by: Karel Zak --- libblkid/src/superblocks/zfs.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libblkid/src/superblocks/zfs.c b/libblkid/src/superblocks/zfs.c index ff12fa6..2c7b4b7 100644 --- a/libblkid/src/superblocks/zfs.c +++ b/libblkid/src/superblocks/zfs.c @@ -115,7 +115,7 @@ static void zfs_extract_guid_name(blkid_probe pr, loff_t offset) nvs->nvs_type = be32_to_cpu(nvs->nvs_type); nvs->nvs_strlen = be32_to_cpu(nvs->nvs_strlen); - if (nvs->nvs_strlen > UINT_MAX - sizeof(*nvs)) + if (nvs->nvs_strlen > INT_MAX - sizeof(*nvs)) break; avail -= nvs->nvs_strlen + sizeof(*nvs); nvdebug("nvstring: type %u string %*s\n", nvs->nvs_type, @@ -201,7 +201,6 @@ static int find_uberblocks(const void *label, loff_t *ub_offset, int *swap_endia * #4 (@ 132kB) is the first one written on a new filesystem. */ static int probe_zfs(blkid_probe pr, const struct blkid_idmag *mag) { - uint64_t swab_magic = swab64(UBERBLOCK_MAGIC); int swab_endian = 0; struct zfs_uberblock *ub; loff_t offset, ub_offset = 0; -- 2.9.3