6f0dbde58a
Resolves: RHEL-12783 RHEL-14612 RHEL-16048 RHEL-16071 RHEL-21257
57 lines
1.9 KiB
Diff
57 lines
1.9 KiB
Diff
From 2fcbf867f00888216f7c4f57161b083ebdc8a836 Mon Sep 17 00:00:00 2001
|
|
From: Karel Zak <kzak@redhat.com>
|
|
Date: Thu, 2 Jun 2022 16:02:54 +0200
|
|
Subject: libblkid: (probe) fix size and offset overflows [fuzzing]
|
|
|
|
Addresses: https://issues.redhat.com/browse/RHEL-16071
|
|
Upstream: http://github.com/util-linux/util-linux/commit/106de261469e1001243d5b81ed895762fb34b2ba
|
|
Reported-by: Thibault Guittet <tguittet@redhat.com>
|
|
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
---
|
|
libblkid/src/probe.c | 17 ++++++++++++++---
|
|
1 file changed, 14 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/libblkid/src/probe.c b/libblkid/src/probe.c
|
|
index d317dc19a..c2bcea616 100644
|
|
--- a/libblkid/src/probe.c
|
|
+++ b/libblkid/src/probe.c
|
|
@@ -612,6 +612,11 @@ static int hide_buffer(blkid_probe pr, uint64_t off, uint64_t len)
|
|
struct list_head *p;
|
|
int ct = 0;
|
|
|
|
+ if (UINT64_MAX - len < off) {
|
|
+ DBG(BUFFER, ul_debug("\t hide-buffer overflow (ignore)"));
|
|
+ return -EINVAL;
|
|
+ }
|
|
+
|
|
list_for_each(p, &pr->buffers) {
|
|
struct blkid_bufinfo *x =
|
|
list_entry(p, struct blkid_bufinfo, bufs);
|
|
@@ -647,14 +652,20 @@ unsigned char *blkid_probe_get_buffer(blkid_probe pr, uint64_t off, uint64_t len
|
|
DBG(BUFFER, ul_debug("\t>>>> off=%ju, real-off=%ju (probe <%ju..%ju>, len=%ju",
|
|
off, real_off, pr->off, pr->off + pr->size, len));
|
|
*/
|
|
-
|
|
if (pr->size == 0) {
|
|
errno = EINVAL;
|
|
return NULL;
|
|
}
|
|
|
|
- if (len == 0 || (!S_ISCHR(pr->mode) && pr->off + pr->size < real_off + len)) {
|
|
- DBG(BUFFER, ul_debug("\t ignore: request out of probing area"));
|
|
+ if (UINT64_MAX - len < off || UINT64_MAX - len < real_off) {
|
|
+ DBG(BUFFER, ul_debug("\t read-buffer overflow (ignore)"));
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ if (len == 0
|
|
+ || (!S_ISCHR(pr->mode) && (pr->size < off || pr->size < len))
|
|
+ || (!S_ISCHR(pr->mode) && (pr->off + pr->size < real_off + len))) {
|
|
+ DBG(BUFFER, ul_debug("\t read-buffer out of probing area (ignore)"));
|
|
errno = 0;
|
|
return NULL;
|
|
}
|
|
--
|
|
2.43.0
|
|
|