From: Manognya Singuru Date: Mon, 13 Jul 2026 06:18:08 +0000 (+0530) Subject: mdrestore: fix extent length overflow in v2 restore path X-Git-Tag: v7.1.1~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=992ef00860515bae353957fdb12accdd8aa32b25;p=thirdparty%2Fxfsprogs-dev.git mdrestore: fix extent length overflow in v2 restore path Aisle Research reported that a crafted metadump v2 extent length can overflow the signed int used for length, leading to incorrect size calculations and a potential heap buffer over-read in restore_meta_extent(). Change the length type to uint64_t and ensure all size arithmetic in 64-bit before converting to size_t for I/O calls. Reviewed-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig Signed-off-by: Manognya Singuru --- diff --git a/mdrestore/xfs_mdrestore.c b/mdrestore/xfs_mdrestore.c index ce7f596a6..3df9d65ea 100644 --- a/mdrestore/xfs_mdrestore.c +++ b/mdrestore/xfs_mdrestore.c @@ -395,11 +395,9 @@ restore_meta_extent( char *device, void *buf, uint64_t offset, - int len) + uint64_t len) { - int io_size; - - io_size = min(len, MDR_IO_BUF_SIZE); + size_t io_size = min(len, MDR_IO_BUF_SIZE); do { if (fread(buf, io_size, 1, md_fp) != 1) @@ -428,7 +426,7 @@ restore_v2( int64_t mb_read = 0; int64_t bytes_read; uint64_t offset; - int len; + uint64_t len; block_buffer = malloc(MDR_IO_BUF_SIZE); if (block_buffer == NULL) @@ -445,7 +443,7 @@ restore_v2( fatal("Invalid superblock disk address 0x%llx\n", be64_to_cpu(xme.xme_addr)); - len = BBTOB(be32_to_cpu(xme.xme_len)); + len = BBTOB((uint64_t)be32_to_cpu(xme.xme_len)); /* The primary superblock is always a single filesystem sector. */ if (len < BBTOB(1) || len > XFS_MAX_SECTORSIZE) @@ -511,7 +509,7 @@ restore_v2( break; } - len = BBTOB(be32_to_cpu(xme.xme_len)); + len = BBTOB((uint64_t)be32_to_cpu(xme.xme_len)); restore_meta_extent(md_fp, fd, device, block_buffer, offset, len);