From: Karel Zak <kzak@redhat.com>
Date: Wed, 25 Feb 2026 10:01:02 +0000 (+0100)
Subject: hexdump: sanitize fiemap ioctl output
X-Git-Tag: v2.43-devel~41
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b3ab0e77d0afe049de7dfd691987943a9fc41f61;p=thirdparty%2Futil-linux.git

hexdump: sanitize fiemap ioctl output

Cap fm_mapped_extents to FIEMAP_EXTENTS_BATCH after each ioctl() call
to prevent potential out-of-bounds access if the kernel returns more
extents than requested.

Reported-by: Coverity Scan
Signed-off-by: Karel Zak <kzak@redhat.com>
---

diff --git a/text-utils/hexdump-display.c b/text-utils/hexdump-display.c
index f0db9c12a..d6422d24c 100644
--- a/text-utils/hexdump-display.c
+++ b/text-utils/hexdump-display.c
@@ -101,6 +101,9 @@ static void init_fiemap(struct hexdump *hex, int fd)
 		return;
 	}
 
+	if (fm->fm_mapped_extents > FIEMAP_EXTENTS_BATCH)
+		fm->fm_mapped_extents = FIEMAP_EXTENTS_BATCH;
+
 	/* If no extents, the entire file is a hole - keep fiemap to indicate this */
 	if (fm->fm_mapped_extents == 0) {
 		hex->fiemap = fm;
@@ -129,6 +132,9 @@ static int fetch_more_extents(struct hexdump *hex, int fd)
 	if (ioctl(fd, FS_IOC_FIEMAP, fm) < 0)
 		return 0;
 
+	if (fm->fm_mapped_extents > FIEMAP_EXTENTS_BATCH)
+		fm->fm_mapped_extents = FIEMAP_EXTENTS_BATCH;
+
 	hex->current_extent = 0;
 	return 1;
 }