From mboxrd@z Thu Jan  1 00:00:00 1970
From: Lukasz Majewski <l.majewski@samsung.com>
Date: Mon, 29 Aug 2016 16:08:41 +0200
Subject: [U-Boot] [PATCH v3 10/13] ext4: Avoid out-of-bounds access of
	block bitmap
In-Reply-To: <d469f2e4cebb44d6874e1db2bfd5007f@rwthex-w2-b.rwth-ad.de>
References: <20160828204238.10809-1-stefan.bruens@rwth-aachen.de>
 <d469f2e4cebb44d6874e1db2bfd5007f@rwthex-w2-b.rwth-ad.de>
Message-ID: <20160829160841.5eebee28@amdc2363>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

Hi Stefan,

> If the blocksize is 1024, count is initialized with 1. Incrementing
> count by 8 will never match (count == fs->blksz * 8), and ptr may be
> incremented beyond the buffer end if the bitmap is filled. Add the
> startblock offset after the loop.
> 
> Remove the second loop, as only the first iteration will be done.
> 
> Signed-off-by: Stefan Br?ns <stefan.bruens@rwth-aachen.de>
> ---
>  fs/ext4/ext4_common.c | 34 ++++++++++++----------------------
>  1 file changed, 12 insertions(+), 22 deletions(-)
> 
> v3: Patch added to series
> 
> diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c
> index 362668b..11da6fa 100644
> --- a/fs/ext4/ext4_common.c
> +++ b/fs/ext4/ext4_common.c
> @@ -158,18 +158,12 @@ static int _get_new_inode_no(unsigned char
> *buffer) 
>  static int _get_new_blk_no(unsigned char *buffer)
>  {
> -	unsigned char input;
> -	int operand, status;
> +	int operand;
>  	int count = 0;
> -	int j = 0;
> +	int i;
>  	unsigned char *ptr = buffer;
>  	struct ext_filesystem *fs = get_fs();
>  
> -	if (fs->blksz != 1024)
> -		count = 0;
> -	else
> -		count = 1;
> -
>  	while (*ptr == 255) {
>  		ptr++;
>  		count += 8;
> @@ -177,21 +171,17 @@ static int _get_new_blk_no(unsigned char
> *buffer) return -1;
>  	}
>  
> -	for (j = 0; j < fs->blksz; j++) {
> -		input = *ptr;
> -		int i = 0;
> -		while (i <= 7) {
> -			operand = 1 << i;
> -			status = input & operand;
> -			if (status) {
> -				i++;
> -				count++;
> -			} else {
> -				*ptr |= operand;
> -				return count;
> -			}
> +	if (fs->blksz == 1024)
> +		count += 1;
> +
> +	for (i = 0; i <= 7; i++) {
> +		operand = 1 << i;
> +		if (*ptr & operand) {
> +			count++;
> +		} else {
> +			*ptr |= operand;
> +			return count;
>  		}
> -		ptr = ptr + 1;
>  	}
>  
>  	return -1;

Reviewed-by: Lukasz Majewski <l.majewski@samsung.com> 

-- 
Best regards,

Lukasz Majewski

Samsung R&D Institute Poland (SRPOL) | Linux Platform Group