64 bit systems can trigger an out of boundary access while performing
a ZFS superblock probe.
This happens due to a possible integer overflow while calculating
the remaining available bytes. The variable is of type "int" and the
string length is allowed to be larger than INT_MAX, which means that
avail calculation can overflow, circumventing the "avail < 0" check and
therefore accessing memory outside the "buff" array later on.
Signed-off-by: Tobias Stoeckmann <tobias@xxxxxxxxxxxxxx>
---
libblkid/src/superblocks/zfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libblkid/src/superblocks/zfs.c b/libblkid/src/superblocks/zfs.c
index b6ffac5..c41f769 100644
--- a/libblkid/src/superblocks/zfs.c
+++ b/libblkid/src/superblocks/zfs.c
@@ -112,7 +112,7 @@ static void zfs_extract_guid_name(blkid_probe pr, loff_t offset)
nvs->nvs_type = be32_to_cpu(nvs->nvs_type);
nvs->nvs_strlen = be32_to_cpu(nvs->nvs_strlen);
- if (nvs->nvs_strlen > UINT_MAX - sizeof(*nvs))
+ if (nvs->nvs_strlen > INT_MAX - sizeof(*nvs))
break;
avail -= nvs->nvs_strlen + sizeof(*nvs);
DBG(LOWPROBE, ul_debug("nvstring: type %u string %*s\n", nvs->nvs_type,
--
2.9.3
--
To unsubscribe from this list: send the line "unsubscribe util-linux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
