util-linux/0103-libblkid-probe-fix-size-and-offset-overflows-fuzzing.patch

From fb4a413e67e0d4f24ad23ece37f206d198601741 Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Thu, 2 Jun 2022 16:02:54 +0200
Subject: libblkid: (probe) fix size and offset overflows [fuzzing]

Addresses: https://issues.redhat.com/browse/RHEL-16070
Upstream: http://github.com/util-linux/util-linux/commit/106de261469e1001243d5b81ed895762fb34b2ba
Reported-by: Thibault Guittet <tguittet@redhat.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
---
 libblkid/src/probe.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/libblkid/src/probe.c b/libblkid/src/probe.c
index 49a62c47f..d36dce4c9 100644
--- a/libblkid/src/probe.c
+++ b/libblkid/src/probe.c
@@ -613,6 +613,11 @@ static int hide_buffer(blkid_probe pr, uint64_t off, uint64_t len)
 	struct list_head *p;
 	int ct = 0;
 
+	if (UINT64_MAX - len < off) {
+		DBG(BUFFER, ul_debug("\t  hide-buffer overflow (ignore)"));
+		return -EINVAL;
+	}
+
 	list_for_each(p, &pr->buffers) {
 		struct blkid_bufinfo *x =
 			list_entry(p, struct blkid_bufinfo, bufs);
@@ -648,14 +653,20 @@ unsigned char *blkid_probe_get_buffer(blkid_probe pr, uint64_t off, uint64_t len
 	DBG(BUFFER, ul_debug("\t>>>> off=%ju, real-off=%ju (probe <%ju..%ju>, len=%ju",
 				off, real_off, pr->off, pr->off + pr->size, len));
 	*/
-
 	if (pr->size == 0) {
 		errno = EINVAL;
 		return NULL;
 	}
 
-	if (len == 0 || (!S_ISCHR(pr->mode) && pr->off + pr->size < real_off + len)) {
-		DBG(BUFFER, ul_debug("\t  ignore: request out of probing area"));
+	if (UINT64_MAX - len < off || UINT64_MAX - len < real_off) {
+		DBG(BUFFER, ul_debug("\t  read-buffer overflow (ignore)"));
+		return NULL;
+	}
+
+	if (len == 0
+	    || (!S_ISCHR(pr->mode) && (pr->size < off || pr->size < len))
+	    || (!S_ISCHR(pr->mode) && (pr->off + pr->size < real_off + len))) {
+		DBG(BUFFER, ul_debug("\t  read-buffer out of probing area (ignore)"));
 		errno = 0;
 		return NULL;
 	}
-- 
2.43.0