diff options
author | Jin Qian <jinqian@google.com> | 2017-04-27 12:12:22 -0700 |
---|---|---|
committer | Jin Qian <jinqian@google.com> | 2017-05-08 14:32:31 -0700 |
commit | 2010f975eefe4bb74623a0699527bea4ba726c06 (patch) | |
tree | 292503eb0f4d796599e8a51b5ab554dca81e2e31 | |
parent | 2c3f0a64f8feebc5292eaa98de73a8c30aebf686 (diff) | |
download | f2fs-tools-2010f975eefe4bb74623a0699527bea4ba726c06.tar.gz |
fsck.f2fs: sanity check cp_payload before reading checkpoint
cp_payload is not sanity checked from input image. A invalid size
can cause buffer overflow when reading checkpoint blks into memory.
Bug: 36493182
Change-Id: I3ee62cbd6817e267de607454dd7223a4f0fd2c4d
Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
-rw-r--r-- | fsck/mount.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/fsck/mount.c b/fsck/mount.c index 8d3f96e..ae1a2ff 100644 --- a/fsck/mount.c +++ b/fsck/mount.c @@ -592,9 +592,14 @@ int get_valid_checkpoint(struct f2fs_sb_info *sbi) unsigned long blk_size = sbi->blocksize; unsigned long long cp1_version = 0, cp2_version = 0, version; unsigned long long cp_start_blk_no; - unsigned int cp_blks = 1 + get_sb(cp_payload); + unsigned int cp_payload, cp_blks; int ret; + cp_payload = get_sb(cp_payload); + if (cp_payload > F2FS_BLK_ALIGN(MAX_SIT_BITMAP_SIZE)) + return -EINVAL; + + cp_blks = 1 + cp_payload; sbi->ckpt = malloc(cp_blks * blk_size); if (!sbi->ckpt) return -ENOMEM; |