From: "Raphael S. Carvalho" <raphaelsc@xxxxxxxxxxxxxxxxxxxx>
If offset (range[0]) is greater than device size (blksize), the variable 'end'
will be greater than blksize, and range[1] (length) will be recalculated.
The underflow happens when subtracting range[0] (offset) from blksize, thus
range[1] will be the result of an underflow. The bug leads to unwanted behavior
from the program, where range[1] is likely to be a high number and then will
discard a considerable amount of blocks from the device. The fix consists of
exitting the program with an error message when the condition stated above is
true. Spotted while auditing the code.
Signed-off-by: Raphael S. Carvalho <raphaelsc@xxxxxxxxxxxxxxxxxxxx>
---
sys-utils/blkdiscard.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sys-utils/blkdiscard.c b/sys-utils/blkdiscard.c
index 2ddcdb1..2f22af7 100644
--- a/sys-utils/blkdiscard.c
+++ b/sys-utils/blkdiscard.c
@@ -149,6 +149,8 @@ int main(int argc, char **argv)
range[1] &= ~(secsize - 1);
/* is the range end behind the end of the device ?*/
+ if (range[0] > blksize)
+ err(EXIT_FAILURE, _("%s: offset is greater than device size"), path);
end = range[0] + range[1];
if (end < range[0] || end > blksize)
range[1] = blksize - range[0];
--
1.9.3
--
To unsubscribe from this list: send the line "unsubscribe util-linux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
