1 From b951c46fab0efe29adc43d7fff7ed4201adcde7d Mon Sep 17 00:00:00 2001
2 From: Michael Small <smallm@sdf.org>
3 Date: Fri, 8 Feb 2019 17:01:43 -0500
4 Subject: [PATCH 110/111] Avoid sigsegv in case 2nd nilfs2 superblock magic
7 1. is_valid_nilfs_sb: make sure the subtraction bytes - sumoff - 4
8 won't give a negative number. That as the len argument to
9 __efi_crc32() would give a very large number for the latter's for
10 loop limit, since len is unsigned long.
12 2. nilfs2_probe: Read and allocate enough sectors to hold a
13 struct nilfs2_super_block. is_valid_nilfs_sb() will be passing
14 up to 1024 bytes to __efi_crc32(). If only one 512 byte sector
15 had been allocated with alloca and read from disk that would cause
16 reads off the the end of the stack even if bytes were more than
19 libparted/fs/nilfs2/nilfs2.c | 8 +++++---
20 1 file changed, 5 insertions(+), 3 deletions(-)
22 diff --git a/libparted/fs/nilfs2/nilfs2.c b/libparted/fs/nilfs2/nilfs2.c
23 index b42a464..52f757c 100644
24 --- a/libparted/fs/nilfs2/nilfs2.c
25 +++ b/libparted/fs/nilfs2/nilfs2.c
26 @@ -89,7 +89,7 @@ is_valid_nilfs_sb(struct nilfs2_super_block *sb)
29 bytes = PED_LE16_TO_CPU(sb->s_bytes);
31 + if (bytes > 1024 || bytes < sumoff - 4)
34 crc = __efi_crc32(sb, sumoff, PED_LE32_TO_CPU(sb->s_crc_seed));
35 @@ -113,11 +113,13 @@ nilfs2_probe (PedGeometry* geom)
36 const int sectors = (4096 + geom->dev->sector_size - 1) /
37 geom->dev->sector_size;
38 char *buf = alloca (sectors * geom->dev->sector_size);
39 - void *buff2 = alloca (geom->dev->sector_size);
40 + const int sectors2 = (1024 + geom->dev->sector_size -1 ) /
41 + geom->dev->sector_size;
42 + void *buff2 = alloca (sectors2 * geom->dev->sector_size);
44 if (ped_geometry_read(geom, buf, 0, sectors))
45 sb = (struct nilfs2_super_block *)(buf+1024);
46 - if (ped_geometry_read(geom, buff2, sb2off, 1))
47 + if (ped_geometry_read(geom, buff2, sb2off, sectors2))
50 if ((!sb || !is_valid_nilfs_sb(sb)) &&
projects / packages / parted.git / blob