From: Milan Broz <gmazyland@gmail.com>
Date: Mon, 23 Jan 2023 12:46:31 +0000 (+0100)
Subject: libblkid: befs - avoid undefined shift
X-Git-Tag: v2.39-rc1~127^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0ec43c07e0d70cb83e734d31e15f58fefe2347a2;p=thirdparty%2Futil-linux.git

libblkid: befs - avoid undefined shift

BEFS does not check maximal value for ag_shift leading
to undefined behavior. Avoid this by limiting shift size.

Reproducer found with OSS-Fuzz (issue 55285) running over
cryptsetup project (blkid is used in header init).

Signed-off-by: Milan Broz <gmazyland@gmail.com>
---

diff --git a/libblkid/src/superblocks/befs.c b/libblkid/src/superblocks/befs.c
index 8de697ddc0..5112d44f49 100644
--- a/libblkid/src/superblocks/befs.c
+++ b/libblkid/src/superblocks/befs.c
@@ -502,6 +502,9 @@ static int probe_befs(blkid_probe pr, const struct blkid_idmag *mag)
 	    block_size != 1U << block_shift)
 		return BLKID_PROBE_NONE;
 
+	if (FS32_TO_CPU(bs->ag_shift, fs_le) > 64)
+		return BLKID_PROBE_NONE;
+
 	ret = get_uuid(pr, bs, &volume_id, fs_le);
 
 	if (ret != 0)