From: Darrick J. Wong <darrick.wong@oracle.com>
Date: Thu, 9 Nov 2017 17:35:24 +0000 (-0600)
Subject: xfs_repair: fix bag memory overwrite problems
X-Git-Tag: v4.14.0-rc1~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4cf0d1f709ce30cef706d8f5ad5612215dc81ef5;p=thirdparty%2Fxfsprogs-dev.git

xfs_repair: fix bag memory overwrite problems

There's an off by one error in the bag_remove code such that we end up
copying memory from beyond the end of the array into the array.  Not a
serious problem since we have counters to prevent us from reading that
garbage, but AddressSanitizer complained so let's fix it.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
---

diff --git a/repair/slab.c b/repair/slab.c
index 86092704a..d47448a38 100644
--- a/repair/slab.c
+++ b/repair/slab.c
@@ -469,7 +469,7 @@ bag_remove(
 {
 	ASSERT(nr < bag->bg_inuse);
 	memmove(&bag->bg_ptrs[nr], &bag->bg_ptrs[nr + 1],
-		(bag->bg_inuse - nr) * sizeof(void *));
+		(bag->bg_inuse - nr - 1) * sizeof(void *));
 	bag->bg_inuse--;
 	return 0;
 }