libblkid: Avoid OOB access on illegal ZFS superblocks

64 bit systems can trigger an out of boundary access while performing
a ZFS superblock probe.

This happens due to a possible integer overflow while calculating
the remaining available bytes. The variable is of type "int" and the
string length is allowed to be larger than INT_MAX, which means that
avail calculation can overflow, circumventing the "avail < 0" check and
therefore accessing memory outside the "buff" array later on.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

diff --git a/libblkid/src/superblocks/zfs.c b/libblkid/src/superblocks/zfs.c
index f44fe528f423c2609a519a92ab531af33de53245..be675045c916c3b2cab867b323ab27bd54dac7ab 100644 (file)
--- a/libblkid/src/superblocks/zfs.c
+++ b/libblkid/src/superblocks/zfs.c
@@ -115,7 +115,7 @@ static void zfs_extract_guid_name(blkid_probe pr, loff_t offset)
 
                        nvs->nvs_type = be32_to_cpu(nvs->nvs_type);
                        nvs->nvs_strlen = be32_to_cpu(nvs->nvs_strlen);
-                       if (nvs->nvs_strlen > UINT_MAX - sizeof(*nvs))
+                       if (nvs->nvs_strlen > INT_MAX - sizeof(*nvs))
                                break;
                        avail -= nvs->nvs_strlen + sizeof(*nvs);
                        nvdebug("nvstring: type %u string %*s\n", nvs->nvs_type,