libblkid: Avoid OOB access on illegal ZFS superblocks

64 bit systems can trigger an out of boundary access while performing
a ZFS superblock probe.

This happens due to a possible integer overflow while calculating
the remaining available bytes. The variable is of type "int" and the
string length is allowed to be larger than INT_MAX, which means that
avail calculation can overflow, circumventing the "avail < 0" check and
therefore accessing memory outside the "buff" array later on.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

diff --git a/libblkid/src/superblocks/zfs.c b/libblkid/src/superblocks/zfs.c
index b6ffac537b2bcb89cae6f65eb8a431f4227b08f8..c41f769905b6e9e84a6239d3c0033d4e2ae4b56b 100644 (file)
--- a/libblkid/src/superblocks/zfs.c
+++ b/libblkid/src/superblocks/zfs.c
@@ -112,7 +112,7 @@ static void zfs_extract_guid_name(blkid_probe pr, loff_t offset)
 
                        nvs->nvs_type = be32_to_cpu(nvs->nvs_type);
                        nvs->nvs_strlen = be32_to_cpu(nvs->nvs_strlen);
-                       if (nvs->nvs_strlen > UINT_MAX - sizeof(*nvs))
+                       if (nvs->nvs_strlen > INT_MAX - sizeof(*nvs))
                                break;
                        avail -= nvs->nvs_strlen + sizeof(*nvs);
                        DBG(LOWPROBE, ul_debug("nvstring: type %u string %*s\n", nvs->nvs_type,