projects / platform / upstream / f2fs-tools.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0f9e1e2)
fsck.f2fs: fix cur_valid_map buffer overflow
authorJin Qian <jinqian@google.com>
Tue, 18 Apr 2017 17:58:05 +0000 (10:58 -0700)
committerJaegeuk Kim <jaegeuk@kernel.org>
Fri, 21 Apr 2017 18:42:59 +0000 (11:42 -0700)
blk_off is read from image. Attacker can construct an image with big
blk_off that trigger overflow on se->cur_valid_map.

Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
fsck/fsck.c patch | blob | history

diff --git a/fsck/fsck.c b/fsck/fsck.c
index afd83e5..2a6546a 100644 (file)
--- a/fsck/fsck.c
+++ b/fsck/fsck.c
@@ -1804,6 +1804,8 @@ int check_curseg_offset(struct f2fs_sb_info *sbi)
                struct seg_entry *se;
                int j, nblocks;
 
+               if ((curseg->next_blkoff >> 3) >= SIT_VBLOCK_MAP_SIZE)
+                       return -EINVAL;
                se = get_seg_entry(sbi, curseg->segno);
                if (f2fs_test_bit(curseg->next_blkoff,
                                        (const char *)se->cur_valid_map)) {
Domain: System / Kernel;