hexdump: sanitize fiemap ioctl output

Cap fm_mapped_extents to FIEMAP_EXTENTS_BATCH after each ioctl() call
to prevent potential out-of-bounds access if the kernel returns more
extents than requested.

Reported-by: Coverity Scan
Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/text-utils/hexdump-display.c b/text-utils/hexdump-display.c
index f0db9c12a08be24ceb0569016f8fe1885ff37e6c..d6422d24c64dfd3407e1be060f45f3ea6e95fb60 100644 (file)
--- a/text-utils/hexdump-display.c
+++ b/text-utils/hexdump-display.c
@@ -101,6 +101,9 @@ static void init_fiemap(struct hexdump *hex, int fd)
                return;
        }
 
+       if (fm->fm_mapped_extents > FIEMAP_EXTENTS_BATCH)
+               fm->fm_mapped_extents = FIEMAP_EXTENTS_BATCH;
+
        /* If no extents, the entire file is a hole - keep fiemap to indicate this */
        if (fm->fm_mapped_extents == 0) {
                hex->fiemap = fm;
@@ -129,6 +132,9 @@ static int fetch_more_extents(struct hexdump *hex, int fd)
        if (ioctl(fd, FS_IOC_FIEMAP, fm) < 0)
                return 0;
 
+       if (fm->fm_mapped_extents > FIEMAP_EXTENTS_BATCH)
+               fm->fm_mapped_extents = FIEMAP_EXTENTS_BATCH;
+
        hex->current_extent = 0;
        return 1;
 }