diff options
| author | Theodore Ts'o <tytso@mit.edu> | 2019-01-29 23:07:27 -0500 |
|---|---|---|
| committer | Theodore Ts'o <tytso@mit.edu> | 2019-01-29 23:07:27 -0500 |
| commit | 92c5594969caad29ffd333441ac85bdaa4b7ac3e (patch) | |
| tree | 72311a2c2d614d0494ce1c2dbe1b325b38bd6fc2 /lib/ext2fs/gen_bitmap64.c | |
| parent | f13a7c2fdfa96f07701e7dd295bddc1dd85fd6a6 (diff) | |
| download | e2fsprogs-92c5594969caad29ffd333441ac85bdaa4b7ac3e.tar.gz | |
libext2fs: add checks for block number wrapping for bitmap range functions
This fixes potential seg faults when opening a fuzzed file system with
block group descriptors containing a bogus inode table location.
Google-Bug-Id: 119929050
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Diffstat (limited to 'lib/ext2fs/gen_bitmap64.c')
| -rw-r--r-- | lib/ext2fs/gen_bitmap64.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/lib/ext2fs/gen_bitmap64.c b/lib/ext2fs/gen_bitmap64.c index 3fc73498..47ba2baf 100644 --- a/lib/ext2fs/gen_bitmap64.c +++ b/lib/ext2fs/gen_bitmap64.c @@ -637,7 +637,8 @@ int ext2fs_test_block_bitmap_range2(ext2fs_block_bitmap bmap, bmap, block); if (EXT2FS_IS_32_BITMAP(bmap)) { - if ((block+num-1) & ~0xffffffffULL) { + if ((block & ~0xffffffffULL) || + ((block+num-1) & ~0xffffffffULL)) { ext2fs_warn_bitmap2((ext2fs_generic_bitmap) bmap, EXT2FS_UNMARK_ERROR, 0xffffffff); return EINVAL; @@ -657,7 +658,8 @@ int ext2fs_test_block_bitmap_range2(ext2fs_block_bitmap bmap, end >>= bmap->cluster_bits; num = end - block; - if ((block < bmap->start) || (block+num-1 > bmap->end)) { + if ((block < bmap->start) || (block > bmap->end) || + (block+num-1 > bmap->end)) { ext2fs_warn_bitmap(EXT2_ET_BAD_BLOCK_TEST, block, bmap->description); return EINVAL; @@ -675,7 +677,8 @@ void ext2fs_mark_block_bitmap_range2(ext2fs_block_bitmap bmap, return; if (EXT2FS_IS_32_BITMAP(bmap)) { - if ((block+num-1) & ~0xffffffffULL) { + if ((block & ~0xffffffffULL) || + ((block+num-1) & ~0xffffffffULL)) { ext2fs_warn_bitmap2((ext2fs_generic_bitmap) bmap, EXT2FS_UNMARK_ERROR, 0xffffffff); return; @@ -695,7 +698,8 @@ void ext2fs_mark_block_bitmap_range2(ext2fs_block_bitmap bmap, end >>= bmap->cluster_bits; num = end - block; - if ((block < bmap->start) || (block+num-1 > bmap->end)) { + if ((block < bmap->start) || (block > bmap->end) || + (block+num-1 > bmap->end)) { ext2fs_warn_bitmap(EXT2_ET_BAD_BLOCK_MARK, block, bmap->description); return; @@ -713,7 +717,8 @@ void ext2fs_unmark_block_bitmap_range2(ext2fs_block_bitmap bmap, return; if (EXT2FS_IS_32_BITMAP(bmap)) { - if ((block+num-1) & ~0xffffffffULL) { + if ((block & ~0xffffffffULL) || + ((block+num-1) & ~0xffffffffULL)) { ext2fs_warn_bitmap2((ext2fs_generic_bitmap) bmap, EXT2FS_UNMARK_ERROR, 0xffffffff); return; @@ -733,7 +738,8 @@ void ext2fs_unmark_block_bitmap_range2(ext2fs_block_bitmap bmap, end >>= bmap->cluster_bits; num = end - block; - if ((block < bmap->start) || (block+num-1 > bmap->end)) { + if ((block < bmap->start) || (block > bmap->end) || + (block+num-1 > bmap->end)) { ext2fs_warn_bitmap(EXT2_ET_BAD_BLOCK_UNMARK, block, bmap->description); return; |