Hi Jin,
On 04/27, Jin Qian wrote:
> segno and blk_off were read from input image without sanity check. This
> could lead to buffer overflow when accessing internal arrays like SIT
> sentries and seg_entry cur_valid_map.
>
> Signed-off-by: Jin Qian <[email protected]>
> ---
> fsck/mount.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fsck/mount.c b/fsck/mount.c
> index ffaa0ed..749c417 100644
> --- a/fsck/mount.c
> +++ b/fsck/mount.c
> @@ -1040,6 +1040,9 @@ static void build_curseg(struct f2fs_sb_info *sbi)
> blk_off = get_cp(cur_node_blkoff[i - CURSEG_HOT_NODE]);
> segno = get_cp(cur_node_segno[i - CURSEG_HOT_NODE]);
> }
> + ASSERT(segno < TOTAL_SEGS(sbi));
> + ASSERT((blk_off >> 3) < SIT_VBLOCK_MAP_SIZE);
ASSERT(blk_off < DEFAULT_BLOCKS_PER_SEGMENT);
Otherwise, blk_off can be cut by shift operation.
Thanks,
> +
> array[i].segno = segno;
> array[i].zone = GET_ZONENO_FROM_SEGNO(sbi, segno);
> array[i].next_segno = NULL_SEGNO;
> --
> 2.13.0.rc0.306.g87b477812d-goog
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Linux-f2fs-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
