diff options
author | Theodore Ts'o <tytso@mit.edu> | 2019-11-08 11:58:10 -0500 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2019-11-08 12:02:48 -0500 |
commit | b99ffaffc94b0395d865d1e2410cdb2e9a0bbdde (patch) | |
tree | 327f073d461c2f1b4a9e667a82537ac8472f9949 | |
parent | a2a8cec68c69583b8de5409ade3cd641c7d4cef7 (diff) | |
download | e2fsprogs-b99ffaffc94b0395d865d1e2410cdb2e9a0bbdde.tar.gz |
libext2fs: verify the block numbers for the allocation bitmaps are valid
This avoids a potential UBsan failure when we multiply an insanely
high block number with the block size and we get a multiplication
overflow.
Google-Bug-Id: 128130353
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-rw-r--r-- | lib/ext2fs/rw_bitmaps.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/lib/ext2fs/rw_bitmaps.c b/lib/ext2fs/rw_bitmaps.c index e092cab00..d80c9eb8f 100644 --- a/lib/ext2fs/rw_bitmaps.c +++ b/lib/ext2fs/rw_bitmaps.c @@ -306,9 +306,10 @@ static errcode_t read_bitmaps(ext2_filsys fs, int do_inode, int do_block) for (i = 0; i < fs->group_desc_count; i++) { if (block_bitmap) { blk = ext2fs_block_bitmap_loc(fs, i); - if (csum_flag && - ext2fs_bg_flags_test(fs, i, EXT2_BG_BLOCK_UNINIT) && - ext2fs_group_desc_csum_verify(fs, i)) + if ((csum_flag && + ext2fs_bg_flags_test(fs, i, EXT2_BG_BLOCK_UNINIT) && + ext2fs_group_desc_csum_verify(fs, i)) || + (blk >= ext2fs_blocks_count(fs->super))) blk = 0; if (blk) { retval = io_channel_read_blk64(fs->io, blk, @@ -340,9 +341,10 @@ static errcode_t read_bitmaps(ext2_filsys fs, int do_inode, int do_block) } if (inode_bitmap) { blk = ext2fs_inode_bitmap_loc(fs, i); - if (csum_flag && - ext2fs_bg_flags_test(fs, i, EXT2_BG_INODE_UNINIT) && - ext2fs_group_desc_csum_verify(fs, i)) + if ((csum_flag && + ext2fs_bg_flags_test(fs, i, EXT2_BG_INODE_UNINIT) && + ext2fs_group_desc_csum_verify(fs, i)) || + (blk >= ext2fs_blocks_count(fs->super))) blk = 0; if (blk) { retval = io_channel_read_blk64(fs->io, blk, |