libblkid: Fix out of bounds byte swaps in ZFS handling
A corrupted ZFS filesystem can trigger 32-bit endian-conversions of
unintended memory locations in zfs_extract_guid_name(), in several ways:
* The variable "left" (number of bytes remaining in the buffer) does not
account for the 12 bytes of the nvlist header.
* The field nvp->nvp_namelen (name length in name/value pair) is rounded
up to the nearest multiple of 4, but only the unrounded size is checked.
* The fields nvs->nvs_type, nvs_strlen, etc. are modified _before_ checking
if they are within bounds.
* A negative value of nvp->nvp_namelen will bypass the check that
nvp->nvp_namelen fits into nvp->nvp_size (size of name/value pair).
This allows for mangling of locations up to 12 + 3 + 8 == 23
bytes beyond the end of stack-based buff[4096], and up to 2**31 bytes
before its beginning.
Furthermore some debugging messages are printed from unchecked memory
locations, possibly resulting in OOB reads or setuid programs leaking
sensitive data when LIBBLKID_DEBUG is set.
This fix attempts to correct all of these problems. It also eliminates the
stack-based buffer (in case anything else was missed) and refactors things
a bit to (hopefully) make it easier to spot any mistakes.
projects / thirdparty / util-linux.git / commit
