From: Karel Zak Date: Thu, 2 Jun 2022 14:02:54 +0000 (+0200) Subject: libblkid: (probe) fix size and offset overflows [fuzzing] X-Git-Tag: v2.38.1~41 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f1692632bab8bc2033c0cd9d0aae5c22a5f19a07;p=thirdparty%2Futil-linux.git libblkid: (probe) fix size and offset overflows [fuzzing] Reported-by: Thibault Guittet Signed-off-by: Karel Zak --- diff --git a/libblkid/src/probe.c b/libblkid/src/probe.c index d571d15dd7..5acd2732c0 100644 --- a/libblkid/src/probe.c +++ b/libblkid/src/probe.c @@ -621,6 +621,11 @@ static int hide_buffer(blkid_probe pr, uint64_t off, uint64_t len) struct list_head *p; int ct = 0; + if (UINT64_MAX - len < off) { + DBG(BUFFER, ul_debug("\t hide-buffer overflow (ignore)")); + return -EINVAL; + } + list_for_each(p, &pr->buffers) { struct blkid_bufinfo *x = list_entry(p, struct blkid_bufinfo, bufs); @@ -656,14 +661,20 @@ unsigned char *blkid_probe_get_buffer(blkid_probe pr, uint64_t off, uint64_t len DBG(BUFFER, ul_debug("\t>>>> off=%ju, real-off=%ju (probe <%ju..%ju>, len=%ju", off, real_off, pr->off, pr->off + pr->size, len)); */ - if (pr->size == 0) { errno = EINVAL; return NULL; } - if (len == 0 || (!S_ISCHR(pr->mode) && pr->off + pr->size < real_off + len)) { - DBG(BUFFER, ul_debug("\t ignore: request out of probing area")); + if (UINT64_MAX - len < off || UINT64_MAX - len < real_off) { + DBG(BUFFER, ul_debug("\t read-buffer overflow (ignore)")); + return NULL; + } + + if (len == 0 + || (!S_ISCHR(pr->mode) && (pr->size < off || pr->size < len)) + || (!S_ISCHR(pr->mode) && (pr->off + pr->size < real_off + len))) { + DBG(BUFFER, ul_debug("\t read-buffer out of probing area (ignore)")); errno = 0; return NULL; }