From fb4a413e67e0d4f24ad23ece37f206d198601741 Mon Sep 17 00:00:00 2001 From: Karel Zak Date: Thu, 2 Jun 2022 16:02:54 +0200 Subject: libblkid: (probe) fix size and offset overflows [fuzzing] Addresses: https://issues.redhat.com/browse/RHEL-16070 Upstream: http://github.com/util-linux/util-linux/commit/106de261469e1001243d5b81ed895762fb34b2ba Reported-by: Thibault Guittet Signed-off-by: Karel Zak --- libblkid/src/probe.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/libblkid/src/probe.c b/libblkid/src/probe.c index 49a62c47f..d36dce4c9 100644 --- a/libblkid/src/probe.c +++ b/libblkid/src/probe.c @@ -613,6 +613,11 @@ static int hide_buffer(blkid_probe pr, uint64_t off, uint64_t len) struct list_head *p; int ct = 0; + if (UINT64_MAX - len < off) { + DBG(BUFFER, ul_debug("\t hide-buffer overflow (ignore)")); + return -EINVAL; + } + list_for_each(p, &pr->buffers) { struct blkid_bufinfo *x = list_entry(p, struct blkid_bufinfo, bufs); @@ -648,14 +653,20 @@ unsigned char *blkid_probe_get_buffer(blkid_probe pr, uint64_t off, uint64_t len DBG(BUFFER, ul_debug("\t>>>> off=%ju, real-off=%ju (probe <%ju..%ju>, len=%ju", off, real_off, pr->off, pr->off + pr->size, len)); */ - if (pr->size == 0) { errno = EINVAL; return NULL; } - if (len == 0 || (!S_ISCHR(pr->mode) && pr->off + pr->size < real_off + len)) { - DBG(BUFFER, ul_debug("\t ignore: request out of probing area")); + if (UINT64_MAX - len < off || UINT64_MAX - len < real_off) { + DBG(BUFFER, ul_debug("\t read-buffer overflow (ignore)")); + return NULL; + } + + if (len == 0 + || (!S_ISCHR(pr->mode) && (pr->size < off || pr->size < len)) + || (!S_ISCHR(pr->mode) && (pr->off + pr->size < real_off + len))) { + DBG(BUFFER, ul_debug("\t read-buffer out of probing area (ignore)")); errno = 0; return NULL; } -- 2.43.0