rpms/parted
5
0
Fork 0
Code Issues Pull Requests Releases Activity
c3686805a4
parted/0110-Avoid-sigsegv-in-case-2nd-nilfs2-superblock-magic-ac.patch
Brian C. Lane 9b87badc1f - Add fix and tests for nilfs2 sigsegv
2019-04-09 15:01:35 -07:00

54 lines
2.0 KiB
Diff
Raw Blame History

From b951c46fab0efe29adc43d7fff7ed4201adcde7d Mon Sep 17 00:00:00 2001
From: Michael Small <smallm@sdf.org>
Date: Fri, 8 Feb 2019 17:01:43 -0500
Subject: [PATCH 110/111] Avoid sigsegv in case 2nd nilfs2 superblock magic
accidently found.
1. is_valid_nilfs_sb: make sure the subtraction bytes - sumoff - 4
won't give a negative number. That as the len argument to
__efi_crc32() would give a very large number for the latter's for
loop limit, since len is unsigned long.
2. nilfs2_probe: Read and allocate enough sectors to hold a
struct nilfs2_super_block. is_valid_nilfs_sb() will be passing
up to 1024 bytes to __efi_crc32(). If only one 512 byte sector
had been allocated with alloca and read from disk that would cause
reads off the the end of the stack even if bytes were more than
sumoff - 4.
---
libparted/fs/nilfs2/nilfs2.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/libparted/fs/nilfs2/nilfs2.c b/libparted/fs/nilfs2/nilfs2.c
index b42a464..52f757c 100644
--- a/libparted/fs/nilfs2/nilfs2.c
+++ b/libparted/fs/nilfs2/nilfs2.c
@@ -89,7 +89,7 @@ is_valid_nilfs_sb(struct nilfs2_super_block *sb)
return 0;
bytes = PED_LE16_TO_CPU(sb->s_bytes);
- if (bytes > 1024)
+ if (bytes > 1024 || bytes < sumoff - 4)
return 0;
crc = __efi_crc32(sb, sumoff, PED_LE32_TO_CPU(sb->s_crc_seed));
@@ -113,11 +113,13 @@ nilfs2_probe (PedGeometry* geom)
const int sectors = (4096 + geom->dev->sector_size - 1) /
geom->dev->sector_size;
char *buf = alloca (sectors * geom->dev->sector_size);
- void *buff2 = alloca (geom->dev->sector_size);
+ const int sectors2 = (1024 + geom->dev->sector_size -1 ) /
+ geom->dev->sector_size;
+ void *buff2 = alloca (sectors2 * geom->dev->sector_size);
if (ped_geometry_read(geom, buf, 0, sectors))
sb = (struct nilfs2_super_block *)(buf+1024);
- if (ped_geometry_read(geom, buff2, sb2off, 1))
+ if (ped_geometry_read(geom, buff2, sb2off, sectors2))
sb2 = buff2;
if ((!sb || !is_valid_nilfs_sb(sb)) &&
--
2.20.1
Reference in New Issue View Git Blame Copy Permalink