From: Torsten Hilbrich <torsten.hilbrich@secunet.com>
To: <util-linux@vger.kernel.org>
Subject: Re: [PATCHv2] liblkid: Add length check in probe_nilfs2 before crc32
Date: Mon, 20 Jun 2016 07:09:10 +0200 [thread overview]
Message-ID: <57677A76.1040503@secunet.com> (raw)
In-Reply-To: <576384D1.4000602@secunet.com>
I have feedback on my first version of the patch sent to the kernel maintainers, so
I'm sending you the result of this discussion as well.
The following changes were made:
- add const to the newly introduced variable
- renaming it to crc_start
- fix check for maximum size, bytes is the end of the area to crc32-check, not its
length
Torsten
------PATCH starts here -------------------------------------------------------
The bytes variable is read from the file system to probe and must be
checked before used as length parameter in the crc32 call.
The following problems may occur here:
- bytes smaller than sumoff + 4: underflow in length calculation
- bytes larger than remaining space in sb: overflow of buffer
This fixes a problem where an encrypted volume had the correct magic
values 0x3434 at offset 0x406 and the following uint16_t (which is
read into the nilfs_super_block.s_bytes struct) was parsed as 1.
Then crc32 was called with the length value 18446744073709551597
causing a segmentation fault.
---
libblkid/src/superblocks/nilfs.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/libblkid/src/superblocks/nilfs.c b/libblkid/src/superblocks/nilfs.c
index d12472c..fbafb8d 100644
--- a/libblkid/src/superblocks/nilfs.c
+++ b/libblkid/src/superblocks/nilfs.c
@@ -72,6 +72,7 @@ static int nilfs_valid_sb(blkid_probe pr, struct nilfs_super_block *sb, int is_b
static unsigned char sum[4];
const int sumoff = offsetof(struct nilfs_super_block, s_sum);
size_t bytes;
+ const size_t crc_start = sumoff + 4;
uint32_t crc;
if (!sb || le16_to_cpu(sb->s_magic) != NILFS_SB_MAGIC)
@@ -82,9 +83,15 @@ static int nilfs_valid_sb(blkid_probe pr, struct nilfs_super_block *sb, int is_b
return 0;
bytes = le16_to_cpu(sb->s_bytes);
+ /* ensure that no underrun can happen in the length parameter
+ * of the crc32 call or more data are processed than read into
+ * sb */
+ if (bytes < crc_start || bytes > sizeof(struct nilfs_super_block))
+ return -1;
+
crc = crc32(le32_to_cpu(sb->s_crc_seed), (unsigned char *)sb, sumoff);
crc = crc32(crc, sum, 4);
- crc = crc32(crc, (unsigned char *)sb + sumoff + 4, bytes - sumoff - 4);
+ crc = crc32(crc, (unsigned char *)sb + crc_start, bytes - crc_start);
return blkid_probe_verify_csum(pr, crc, le32_to_cpu(sb->s_sum));
}
--
2.1.4
next prev parent reply other threads:[~2016-06-20 5:09 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-17 5:04 [PATCH] liblkid: Add length check in probe_nilfs2 before crc32 Torsten Hilbrich
2016-06-20 5:09 ` Torsten Hilbrich [this message]
2016-06-24 9:16 ` [PATCHv2] " Karel Zak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57677A76.1040503@secunet.com \
--to=torsten.hilbrich@secunet.com \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox