Hi Jin,

On 04/27, Jin Qian wrote:
> segno and blk_off were read from input image without sanity check. This
> could lead to buffer overflow when accessing internal arrays like SIT
> sentries and seg_entry cur_valid_map.
> 
> Signed-off-by: Jin Qian <jinq...@google.com>
> ---
>  fsck/mount.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/fsck/mount.c b/fsck/mount.c
> index ffaa0ed..749c417 100644
> --- a/fsck/mount.c
> +++ b/fsck/mount.c
> @@ -1040,6 +1040,9 @@ static void build_curseg(struct f2fs_sb_info *sbi)
>                       blk_off = get_cp(cur_node_blkoff[i - CURSEG_HOT_NODE]);
>                       segno = get_cp(cur_node_segno[i - CURSEG_HOT_NODE]);
>               }
> +             ASSERT(segno < TOTAL_SEGS(sbi));
> +             ASSERT((blk_off >> 3) < SIT_VBLOCK_MAP_SIZE);

                ASSERT(blk_off < DEFAULT_BLOCKS_PER_SEGMENT);

Otherwise, blk_off can be cut by shift operation.

Thanks,

> +
>               array[i].segno = segno;
>               array[i].zone = GET_ZONENO_FROM_SEGNO(sbi, segno);
>               array[i].next_segno = NULL_SEGNO;
> -- 
> 2.13.0.rc0.306.g87b477812d-goog

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

Reply via email to