[PATCH] blkdiscard: fix underflow when offset is greater than device size

[PATCH] blkdiscard: fix underflow when offset is greater than device size

[Raphael S. Carvalho]

From: "Raphael S. Carvalho" <raphaelsc@cloudius-systems.com>

If offset (range[0]) is greater than device size (blksize), the variable 'end'
will be greater than blksize, and range[1] (length) will be recalculated.
The underflow happens when subtracting range[0] (offset) from blksize, thus
range[1] will be the result of an underflow. The bug leads to unwanted behavior
from the program, where range[1] is likely to be a high number and then will
discard a considerable amount of blocks from the device. The fix consists of
exitting the program with an error message when the condition stated above is
true. Spotted while auditing the code.

Signed-off-by: Raphael S. Carvalho <raphaelsc@cloudius-systems.com>
---
 sys-utils/blkdiscard.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sys-utils/blkdiscard.c b/sys-utils/blkdiscard.c
index 2ddcdb1..2f22af7 100644
--- a/sys-utils/blkdiscard.c
+++ b/sys-utils/blkdiscard.c
@@ -149,6 +149,8 @@ int main(int argc, char **argv)
 	range[1] &= ~(secsize - 1);
 
 	/* is the range end behind the end of the device ?*/
+	if (range[0] > blksize)
+		err(EXIT_FAILURE, _("%s: offset is greater than device size"), path);
 	end = range[0] + range[1];
 	if (end < range[0] || end > blksize)
 		range[1] = blksize - range[0];
-- 
1.9.3

Re: [PATCH] blkdiscard: fix underflow when offset is greater than device size

[Karel Zak]

On Wed, Oct 08, 2014 at 09:46:07PM -0300, Raphael S. Carvalho wrote:
>  sys-utils/blkdiscard.c | 2 ++
>  1 file changed, 2 insertions(+)

 Applied, thanks.

   Karel 

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com