From e5421cc1b7d2c1628184f349650634d1b54ad565 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Thomas=20Wei=C3=9Fschuh?= Date: Thu, 3 Oct 2024 09:14:57 +0200 Subject: [PATCH] libblkid: (exfat): validate fields used by prober MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The exFAT specification lists valid value ranges for the superblock fields. Validate the fields interpreted by the libblkid prober to avoid undefined behaviour. Signed-off-by: Thomas Weißschuh (cherry picked from commit 1bdfbe9a7af4f5897624ec1ab14e9f60a5b72c61) --- libblkid/src/superblocks/exfat.c | 33 ++++++++++++++++++ .../test_blkid_fuzz_files/oss-fuzz-371061095 | Bin 0 -> 1025 bytes 2 files changed, 33 insertions(+) create mode 100644 tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-371061095 diff --git a/libblkid/src/superblocks/exfat.c b/libblkid/src/superblocks/exfat.c index 18a3e07c7a..a7d3e02980 100644 --- a/libblkid/src/superblocks/exfat.c +++ b/libblkid/src/superblocks/exfat.c @@ -161,6 +161,8 @@ static int exfat_validate_checksum(blkid_probe pr, return 1; } +#define in_range_inclusive(val, start, stop) (val >= start && val <= stop) + static int exfat_valid_superblock(blkid_probe pr, const struct exfat_super_block *sb) { if (le16_to_cpu(sb->BootSignature) != 0xAA55) @@ -172,10 +174,41 @@ static int exfat_valid_superblock(blkid_probe pr, const struct exfat_super_block if (memcmp(sb->JumpBoot, "\xEB\x76\x90", 3) != 0) return 0; + if (memcmp(sb->FileSystemName, "EXFAT ", 8) != 0) + return 0; + for (size_t i = 0; i < sizeof(sb->MustBeZero); i++) if (sb->MustBeZero[i] != 0x00) return 0; + if (!in_range_inclusive(sb->NumberOfFats, 1, 2)) + return 0; + + if (!in_range_inclusive(sb->BytesPerSectorShift, 9, 12)) + return 0; + + if (!in_range_inclusive(sb->SectorsPerClusterShift, + 0, + 25 - sb->BytesPerSectorShift)) + return 0; + + if (!in_range_inclusive(le32_to_cpu(sb->FatOffset), + 24, + le32_to_cpu(sb->ClusterHeapOffset) - + (le32_to_cpu(sb->FatLength) * sb->NumberOfFats))) + return 0; + + if (!in_range_inclusive(le32_to_cpu(sb->ClusterHeapOffset), + le32_to_cpu(sb->FatOffset) + + le32_to_cpu(sb->FatLength) * sb->NumberOfFats, + 1U << (32 - 1))) + return 0; + + if (!in_range_inclusive(le32_to_cpu(sb->FirstClusterOfRootDirectory), + 2, + le32_to_cpu(sb->ClusterCount) + 1)) + return 0; + if (!exfat_validate_checksum(pr, sb)) return 0; diff --git a/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-371061095 b/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-371061095 new file mode 100644 index 0000000000000000000000000000000000000000..c16597d59d4c5eb6f3d4b460d4a2a8dec78ecf75 GIT binary patch literal 1025 zc-nhiHo-N*%`rqlL4ko9pb<*HW`fX6a2Y0KWsG79KY`SL_U{UH5`X`vgaJ9H|A)9m zc%1^tGBEf@GWZ4uyZDDQJYtXvcMWUW2Qp$G5HRc`09+g$Z>gdKYgH@&D7X|zu>g%$ zB@CcW|MnlN$F=`M0E@EZ6rlTO0z);JQECEECNY_T;kR%uL+C1l)xn0Us?sWh$VrAk zC$%sEL!9yF_x}tb3`}e+LO=yPnxbGJFDi(L5Xz$ACw0MJ)}IWY{{P1i$DVqCt`7EP zbol=|VuG$)n5(W^ur31=BO}P)VhjwAKmZbEpZ}r(Xc*cAF~r8k?qm4;|J`Ta|MwD} z{0Bpm|1W@$h4C4~GlsK3xD5y)8U)Z|!y%lN;Xgy}_wWDzVT}}El;3v%#sNc&+j~|< z1_1_51_pLR246;n|Gh=RK;x`Yj9U-H2N>AkeB|^1&S8lRzEKQ}{}>ovFlYezIv~MS PU@6xKsEY*Nd}06q|BYA? literal 0 Hc-jL100001 -- 2.47.2