From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 28 Aug 2016 19:15:59 +0000 (+0200)
Subject: libblkid: Avoid OOB access on illegal ZFS superblocks
X-Git-Tag: v2.29-rc1~96
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8fa57ab0b5696031da800e243def32bc5265ff6d;p=thirdparty%2Futil-linux.git

libblkid: Avoid OOB access on illegal ZFS superblocks

64 bit systems can trigger an out of boundary access while performing
a ZFS superblock probe.

This happens due to a possible integer overflow while calculating
the remaining available bytes. The variable is of type "int" and the
string length is allowed to be larger than INT_MAX, which means that
avail calculation can overflow, circumventing the "avail < 0" check and
therefore accessing memory outside the "buff" array later on.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---

diff --git a/libblkid/src/superblocks/zfs.c b/libblkid/src/superblocks/zfs.c
index b6ffac537b..c41f769905 100644
--- a/libblkid/src/superblocks/zfs.c
+++ b/libblkid/src/superblocks/zfs.c
@@ -112,7 +112,7 @@ static void zfs_extract_guid_name(blkid_probe pr, loff_t offset)
 
 			nvs->nvs_type = be32_to_cpu(nvs->nvs_type);
 			nvs->nvs_strlen = be32_to_cpu(nvs->nvs_strlen);
-			if (nvs->nvs_strlen > UINT_MAX - sizeof(*nvs))
+			if (nvs->nvs_strlen > INT_MAX - sizeof(*nvs))
 				break;
 			avail -= nvs->nvs_strlen + sizeof(*nvs);
 			DBG(LOWPROBE, ul_debug("nvstring: type %u string %*s\n", nvs->nvs_type,