From: Torsten Hilbrich <torsten.hilbrich@secunet.com>
To: <util-linux@vger.kernel.org>
Subject: [PATCH] liblkid: Add length check in probe_nilfs2 before crc32
Date: Fri, 17 Jun 2016 07:04:17 +0200 [thread overview]
Message-ID: <576384D1.4000602@secunet.com> (raw)
The bytes variable is read from the file system to probe and must be
checked before used as length parameter in the crc32 call.
The following problems may occur here:
- bytes smaller than sumoff + 4: underflow in length calculation
- bytes larger than remaining space in sb: overflow of buffer
This fixes a problem where an encrypted volume had the correct magic
values 0x3434 at offset 0x406 and the following uint16_t (which is
read into the nilfs_super_block.s_bytes struct) was parsed as 1.
Then crc32 was called with the length value 18446744073709551597
causing a segmentation fault.
---
libblkid/src/superblocks/nilfs.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/libblkid/src/superblocks/nilfs.c b/libblkid/src/superblocks/nilfs.c
index d12472c..ff420cf 100644
--- a/libblkid/src/superblocks/nilfs.c
+++ b/libblkid/src/superblocks/nilfs.c
@@ -72,6 +72,7 @@ static int nilfs_valid_sb(blkid_probe pr, struct nilfs_super_block *sb, int is_b
static unsigned char sum[4];
const int sumoff = offsetof(struct nilfs_super_block, s_sum);
size_t bytes;
+ size_t crc_offset = sumoff + 4;
uint32_t crc;
if (!sb || le16_to_cpu(sb->s_magic) != NILFS_SB_MAGIC)
@@ -82,9 +83,15 @@ static int nilfs_valid_sb(blkid_probe pr, struct nilfs_super_block *sb, int is_b
return 0;
bytes = le16_to_cpu(sb->s_bytes);
+ /* ensure that no underrun can happen in the length parameter
+ * of the crc32 call or more data are processed than read into
+ * sb */
+ if (bytes < crc_offset || bytes > sizeof(struct nilfs_super_block) - crc_offset)
+ return -1;
+
crc = crc32(le32_to_cpu(sb->s_crc_seed), (unsigned char *)sb, sumoff);
crc = crc32(crc, sum, 4);
- crc = crc32(crc, (unsigned char *)sb + sumoff + 4, bytes - sumoff - 4);
+ crc = crc32(crc, (unsigned char *)sb + crc_offset, bytes - crc_offset);
return blkid_probe_verify_csum(pr, crc, le32_to_cpu(sb->s_sum));
}
--
2.1.4
next reply other threads:[~2016-06-17 5:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-17 5:04 Torsten Hilbrich [this message]
2016-06-20 5:09 ` [PATCHv2] liblkid: Add length check in probe_nilfs2 before crc32 Torsten Hilbrich
2016-06-24 9:16 ` Karel Zak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=576384D1.4000602@secunet.com \
--to=torsten.hilbrich@secunet.com \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.