cp_payload is not sanity checked from input image. A invalid size
can cause buffer overflow when reading checkpoint blks into memory.
Signed-off-by: Jin Qian <jinq...@google.com>
---
fsck/mount.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fsck/mount.c b/fsck/mount.c
index 761baa0..ffaa0ed 100644
--- a/fsck/mount.c
+++ b/fsck/mount.c
@@ -589,9 +589,14 @@ int get_valid_checkpoint(struct f2fs_sb_info *sbi)
unsigned long blk_size = sbi->blocksize;
unsigned long long cp1_version = 0, cp2_version = 0, version;
unsigned long long cp_start_blk_no;
- unsigned int cp_blks = 1 + get_sb(cp_payload);
+ unsigned int cp_payload, cp_blks;
int ret;
+ cp_payload = get_sb(cp_payload);
+ if (cp_payload > F2FS_BLK_ALIGN(MAX_SIT_BITMAP_SIZE))
+ return -EINVAL;
+
+ cp_blks = 1 + cp_payload;
sbi->ckpt = malloc(cp_blks * blk_size);
if (!sbi->ckpt)
return -ENOMEM;
--
2.13.0.rc0.306.g87b477812d-goog
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
