Blame SOURCES/0114-libblkid-Avoid-OOB-access-on-illegal-ZFS-superblocks.patch

05ad79
From 7e1c9da4773237e368bdc0539ef91d55ef19806c Mon Sep 17 00:00:00 2001
05ad79
From: Tobias Stoeckmann <tobias@stoeckmann.org>
05ad79
Date: Sun, 28 Aug 2016 21:15:59 +0200
05ad79
Subject: [PATCH 114/116] libblkid: Avoid OOB access on illegal ZFS superblocks
05ad79
05ad79
64 bit systems can trigger an out of boundary access while performing
05ad79
a ZFS superblock probe.
05ad79
05ad79
This happens due to a possible integer overflow while calculating
05ad79
the remaining available bytes. The variable is of type "int" and the
05ad79
string length is allowed to be larger than INT_MAX, which means that
05ad79
avail calculation can overflow, circumventing the "avail < 0" check and
05ad79
therefore accessing memory outside the "buff" array later on.
05ad79
05ad79
[kzak@redhat.com (rhel7): - remove unused swab_magic]
05ad79
05ad79
Upstream: https://github.com/karelzak/util-linux/commit/8fa57ab0b5696031da800e243def32bc5265ff6d
05ad79
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1392661
05ad79
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
05ad79
Signed-off-by: Karel Zak <kzak@redhat.com>
05ad79
---
05ad79
 libblkid/src/superblocks/zfs.c | 3 +--
05ad79
 1 file changed, 1 insertion(+), 2 deletions(-)
05ad79
05ad79
diff --git a/libblkid/src/superblocks/zfs.c b/libblkid/src/superblocks/zfs.c
05ad79
index ff12fa6..2c7b4b7 100644
05ad79
--- a/libblkid/src/superblocks/zfs.c
05ad79
+++ b/libblkid/src/superblocks/zfs.c
05ad79
@@ -115,7 +115,7 @@ static void zfs_extract_guid_name(blkid_probe pr, loff_t offset)
05ad79
 
05ad79
 			nvs->nvs_type = be32_to_cpu(nvs->nvs_type);
05ad79
 			nvs->nvs_strlen = be32_to_cpu(nvs->nvs_strlen);
05ad79
-			if (nvs->nvs_strlen > UINT_MAX - sizeof(*nvs))
05ad79
+			if (nvs->nvs_strlen > INT_MAX - sizeof(*nvs))
05ad79
 				break;
05ad79
 			avail -= nvs->nvs_strlen + sizeof(*nvs);
05ad79
 			nvdebug("nvstring: type %u string %*s\n", nvs->nvs_type,
05ad79
@@ -201,7 +201,6 @@ static int find_uberblocks(const void *label, loff_t *ub_offset, int *swap_endia
05ad79
  * #4 (@ 132kB) is the first one written on a new filesystem. */
05ad79
 static int probe_zfs(blkid_probe pr, const struct blkid_idmag *mag)
05ad79
 {
05ad79
-	uint64_t swab_magic = swab64(UBERBLOCK_MAGIC);
05ad79
 	int swab_endian = 0;
05ad79
 	struct zfs_uberblock *ub;
05ad79
 	loff_t offset, ub_offset = 0;
05ad79
-- 
05ad79
2.9.3
05ad79