Hi Jin, On 04/27, Jin Qian wrote: > segno and blk_off were read from input image without sanity check. This > could lead to buffer overflow when accessing internal arrays like SIT > sentries and seg_entry cur_valid_map. > > Signed-off-by: Jin Qian <jinq...@google.com> > --- > fsck/mount.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fsck/mount.c b/fsck/mount.c > index ffaa0ed..749c417 100644 > --- a/fsck/mount.c > +++ b/fsck/mount.c > @@ -1040,6 +1040,9 @@ static void build_curseg(struct f2fs_sb_info *sbi) > blk_off = get_cp(cur_node_blkoff[i - CURSEG_HOT_NODE]); > segno = get_cp(cur_node_segno[i - CURSEG_HOT_NODE]); > } > + ASSERT(segno < TOTAL_SEGS(sbi)); > + ASSERT((blk_off >> 3) < SIT_VBLOCK_MAP_SIZE);
ASSERT(blk_off < DEFAULT_BLOCKS_PER_SEGMENT); Otherwise, blk_off can be cut by shift operation. Thanks, > + > array[i].segno = segno; > array[i].zone = GET_ZONENO_FROM_SEGNO(sbi, segno); > array[i].next_segno = NULL_SEGNO; > -- > 2.13.0.rc0.306.g87b477812d-goog ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel