git.ipfire.org Git - thirdparty/util-linux.git/commit

author	Karel Zak <kzak@redhat.com>
	Wed, 25 Mar 2026 10:54:28 +0000 (11:54 +0100)
committer	Karel Zak <kzak@redhat.com>
	Wed, 1 Apr 2026 08:48:06 +0000 (10:48 +0200)
commit	e9d544d013267ea86b70ee8ff78abd280e6641af
tree	c24e0de87e5a5fe8501717e09417b8207ee450db	tree \| snapshot
parent	5e390467b26a3cf3fecc04e1a0d482dff3162fc4	commit \| diff

libblkid: dos: validate EBR data and links within extended partition

The parse_dos_extended() function processes EBR (Extended Boot Record)
chains, but does not properly validate that partitions and links stay
within the master extended partition area [ex_start, ex_start+ex_size).

For EBR data partitions at index 0 and 1, there are no bounds checks
at all, unlike entries at index 2 and 3. This allows a crafted disk
image to register partitions at arbitrary sectors via uint32_t overflow
in the abs_start calculation (cur_start + start wraps to a small value).

Fix by:
- using 64-bit arithmetic for the abs_start calculation to avoid
   uint32_t wraparound
- applying the extended partition area bounds check to all EBR data
   entries, not just index >= 2
- validating EBR link targets stay within the extended area and
   advance forward (preventing backward links that could loop)

Reported-by: Michele Piccinni <piccinni.michele@gmail.com>
Signed-off-by: Karel Zak <kzak@redhat.com>