git.ipfire.org Git - thirdparty/util-linux.git/commit

author	Karel Zak <kzak@redhat.com>
	Wed, 25 Mar 2026 10:54:28 +0000 (11:54 +0100)
committer	Karel Zak <kzak@redhat.com>
	Wed, 1 Apr 2026 08:50:16 +0000 (10:50 +0200)
commit	05c2dbadf34cc74192287f377904afaaf4061623
tree	3a9105ef7682f85da7aa8fd09822cea6a69a76ab	tree \| snapshot
parent	f55f9906b4f6eeb2b4a4120317df9de935253c10	commit \| diff

libblkid: dos: validate EBR data and links within extended partition

The parse_dos_extended() function processes EBR (Extended Boot Record)
chains, but does not properly validate that partitions and links stay
within the master extended partition area [ex_start, ex_start+ex_size).

For EBR data partitions at index 0 and 1, there are no bounds checks
at all, unlike entries at index 2 and 3. This allows a crafted disk
image to register partitions at arbitrary sectors via uint32_t overflow
in the abs_start calculation (cur_start + start wraps to a small value).

Fix by:
- using 64-bit arithmetic for the abs_start calculation to avoid
   uint32_t wraparound
- applying the extended partition area bounds check to all EBR data
   entries, not just index >= 2
- validating EBR link targets stay within the extended area and
   advance forward (preventing backward links that could loop)

Reported-by: Michele Piccinni <piccinni.michele@gmail.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
(cherry picked from commit e9d544d013267ea86b70ee8ff78abd280e6641af)