[f2fs-dev] [PATCH 1/1] f2fs-tools: sanity check segno and blk_off when building curseg array

Jin Qian Thu, 27 Apr 2017 15:04:33 -0700

segno and blk_off were read from input image without sanity check. This
could lead to buffer overflow when accessing internal arrays like SIT
sentries and seg_entry cur_valid_map.


Signed-off-by: Jin Qian <jinq...@google.com>
---
 fsck/mount.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fsck/mount.c b/fsck/mount.c
index ffaa0ed..749c417 100644
--- a/fsck/mount.c
+++ b/fsck/mount.c
@@ -1040,6 +1040,9 @@ static void build_curseg(struct f2fs_sb_info *sbi)
                        blk_off = get_cp(cur_node_blkoff[i - CURSEG_HOT_NODE]);
                        segno = get_cp(cur_node_segno[i - CURSEG_HOT_NODE]);
                }
+               ASSERT(segno < TOTAL_SEGS(sbi));
+               ASSERT((blk_off >> 3) < SIT_VBLOCK_MAP_SIZE);
+
                array[i].segno = segno;
                array[i].zone = GET_ZONENO_FROM_SEGNO(sbi, segno);
                array[i].next_segno = NULL_SEGNO;
-- 
2.13.0.rc0.306.g87b477812d-goog


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [PATCH 1/1] f2fs-tools: sanity check segno and blk_off when building curseg array

Reply via email to