40 lines
1.6 KiB
Diff
40 lines
1.6 KiB
Diff
|
From d7fa8ed63891b0058c5df8aa809e34de61008f51 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Milan Broz <gmazyland@gmail.com>
|
||
|
|
Date: Sun, 9 Oct 2022 20:20:45 +0200
|
||
|
|
Subject: [PATCH] libblkid: avoid buffer overflow in ocfs superblock parsing
|
||
|
|
|
||
|
|
Label and mount values are checked only according to on-disk
|
||
|
|
values and not checked against the real structure size.
|
||
|
|
This can lead to reading of memory outside of superblock
|
||
|
|
struct and subsequent crash.
|
||
|
|
|
||
|
|
Reproducer found with OSS-Fuzz (issue 52270) running over
|
||
|
|
cryptsetup project (blkid is used in header init).
|
||
|
|
|
||
|
|
Signed-off-by: Milan Broz <gmazyland@gmail.com>
|
||
|
|
---
|
||
|
|
libblkid/src/superblocks/ocfs.c | 10 ++++++----
|
||
|
|
1 file changed, 6 insertions(+), 4 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/libblkid/src/superblocks/ocfs.c b/libblkid/src/superblocks/ocfs.c
|
||
|
|
index 28df6ddfa4..e213d66b44 100644
|
||
|
|
--- a/libblkid/src/superblocks/ocfs.c
|
||
|
|
+++ b/libblkid/src/superblocks/ocfs.c
|
||
|
|
@@ -129,10 +129,12 @@ static int probe_ocfs(blkid_probe pr, const struct blkid_idmag *mag)
|
||
|
|
blkid_probe_set_value(pr, "SEC_TYPE",
|
||
|
|
(unsigned char *) "ntocfs", sizeof("ntocfs"));
|
||
|
|
|
||
|
|
- blkid_probe_set_label(pr, (unsigned char *) ovl.label,
|
||
|
|
- ocfslabellen(ovl));
|
||
|
|
- blkid_probe_set_value(pr, "MOUNT", (unsigned char *) ovh.mount,
|
||
|
|
- ocfsmountlen(ovh));
|
||
|
|
+ if (ocfslabellen(ovl) < sizeof(ovl.label))
|
||
|
|
+ blkid_probe_set_label(pr, (unsigned char *) ovl.label,
|
||
|
|
+ ocfslabellen(ovl));
|
||
|
|
+ if (ocfsmountlen(ovh) < sizeof(ovh.mount))
|
||
|
|
+ blkid_probe_set_value(pr, "MOUNT", (unsigned char *) ovh.mount,
|
||
|
|
+ ocfsmountlen(ovh));
|
||
|
|
blkid_probe_set_uuid(pr, ovl.vol_id);
|
||
|
|
blkid_probe_sprintf_version(pr, "%u.%u", maj, min);
|
||
|
|
return 0;
|