From 1e12220dc3609cfbe0b9662a8fa8b18143fa3e7f Mon Sep 17 00:00:00 2001 From: Bogdan Boguslavskij Date: Wed, 20 May 2026 17:07:20 +0300 Subject: [PATCH] Fix DB2 hash bitmap page count validation In __kdb2_hash_open(), bpages is computed from the hash file header and then used as the size argument when clearing hashp->mapp. The mapp array has only NCACHED entries, so a malformed hash database can cause memset() to write past the end of the array. Return EFTYPE if the computed bitmap page count is negative or greater then NCACHED. Found by Linux Verification Center (linuxtesting.org) with SVACE. ticket: 9215 --- src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c index 7c3e951aa2..f90aae0f9a 100644 --- a/src/plugins/kdb/db2/libdb2/hash/hash.c +++ b/src/plugins/kdb/db2/libdb2/hash/hash.c @@ -170,6 +170,9 @@ __kdb2_hash_open(const char *file, int flags, int mode, const HASHINFO *info, (hashp->hdr.bsize << BYTE_SHIFT) - 1) >> (hashp->hdr.bshift + BYTE_SHIFT); + if (bpages > NCACHED || bpages < 0) + RETURN_ERROR(EFTYPE, error1); + hashp->nmaps = bpages; (void)memset(&hashp->mapp[0], 0, bpages * sizeof(u_int32_t *)); } -- 2.47.3