From c2ee14017e377463a16e0fd80716e3f01d7960a1 Mon Sep 17 00:00:00 2001 From: Karel Zak Date: Wed, 19 Nov 2025 11:17:57 +0100 Subject: [PATCH] libfdisk: fix off-by-one in maximum last sector calculation Resolves: RHEL-122367 --- ...-off-by-one-in-maximum-last-sector-c.patch | 46 +++++++++++++++++++ util-linux.spec | 2 + 2 files changed, 48 insertions(+) create mode 100644 0019-libfdisk-dos-fix-off-by-one-in-maximum-last-sector-c.patch diff --git a/0019-libfdisk-dos-fix-off-by-one-in-maximum-last-sector-c.patch b/0019-libfdisk-dos-fix-off-by-one-in-maximum-last-sector-c.patch new file mode 100644 index 0000000..e1f1120 --- /dev/null +++ b/0019-libfdisk-dos-fix-off-by-one-in-maximum-last-sector-c.patch @@ -0,0 +1,46 @@ +From ec0dfcca6f2d154a4697df4448d1aea6d2ee00af Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Thu, 30 Oct 2025 12:11:43 +0100 +Subject: libfdisk: (dos) fix off-by-one in maximum last sector calculation + +The get_disk_ranges() function incorrectly capped the last usable +sector at UINT_MAX, which could cause an overflow when calculating +partition size for MBR partition tables. + +MBR stores partition size as a 32-bit value with maximum UINT_MAX. +The partition size is calculated as: size = stop - start + 1 + +For a partition starting at sector 0: +- If stop = UINT_MAX: size = UINT_MAX + 1 (overflow!) +- If stop = UINT_MAX - 1: size = UINT_MAX (correct maximum) + +This fixes the inconsistency where dos_init() correctly warns about +disks larger than UINT_MAX sectors (2TiB - 512 bytes for 512-byte +sectors), but get_disk_ranges() allowed creating partitions that +would overflow the 32-bit size field. + +Addresses: https://issues.redhat.com/browse/RHEL-122367 +Signed-off-by: Karel Zak +(cherry picked from commit 578923fe582903628ecc0d2a434af0affa3660d2) +--- + libfdisk/src/dos.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libfdisk/src/dos.c b/libfdisk/src/dos.c +index db7e25716..c88d2a4f2 100644 +--- a/libfdisk/src/dos.c ++++ b/libfdisk/src/dos.c +@@ -1241,8 +1241,8 @@ static int get_disk_ranges(struct fdisk_context *cxt, int logical, + else + *last = cxt->total_sectors - 1; + +- if (*last > UINT_MAX) +- *last = UINT_MAX; ++ if (*last >= UINT_MAX) ++ *last = UINT_MAX - 1; + *first = cxt->first_lba; + } + +-- +2.51.1 + diff --git a/util-linux.spec b/util-linux.spec index 1c6b764..424fc04 100644 --- a/util-linux.spec +++ b/util-linux.spec @@ -134,6 +134,8 @@ Patch16: 0016-mount-improve-all-documentation.patch Patch17: 0017-libblkid-Fix-probe_ioctl_tp-assigning-BLKGETDISKSEQ-.patch # RHEL-121120 - libblkid: use snprintf() instead of sprintf() Patch18: 0018-libblkid-use-snprintf-instead-of-sprintf.patch +# RHEL-122367 - libfdisk: (dos) fix off-by-one in maximum last sector calculation +Patch19: 0019-libfdisk-dos-fix-off-by-one-in-maximum-last-sector-c.patch %description