diff options
author | Jin Qian <jinqian@google.com> | 2017-04-27 15:45:28 -0700 |
---|---|---|
committer | Jin Qian <jinqian@google.com> | 2017-05-08 14:33:20 -0700 |
commit | 8be4c2d04755d8d7b3c4dd9b15b1b1345c53d14a (patch) | |
tree | facc8bb616affb04d86d67c7ac996c882c7c5782 /fsck | |
parent | 2010f975eefe4bb74623a0699527bea4ba726c06 (diff) | |
download | f2fs-tools-8be4c2d04755d8d7b3c4dd9b15b1b1345c53d14a.tar.gz |
fsck.f2fs: sanity check segno and blk_off when building curseg array
segno and blk_off were read from input image without sanity check. This
could lead to buffer overflow when accessing internal arrays like SIT
sentries and seg_entry cur_valid_map.
Bug: 36266023
Change-Id: I09a54c61707ec40607bb8314276875ce7ab4c22a
Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Diffstat (limited to 'fsck')
-rw-r--r-- | fsck/mount.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/fsck/mount.c b/fsck/mount.c index ae1a2ff..b8e8c45 100644 --- a/fsck/mount.c +++ b/fsck/mount.c @@ -1045,6 +1045,9 @@ static void build_curseg(struct f2fs_sb_info *sbi) blk_off = get_cp(cur_node_blkoff[i - CURSEG_HOT_NODE]); segno = get_cp(cur_node_segno[i - CURSEG_HOT_NODE]); } + ASSERT(segno < TOTAL_SEGS(sbi)); + ASSERT(blk_off < DEFAULT_BLOCKS_PER_SEGMENT); + array[i].segno = segno; array[i].zone = GET_ZONENO_FROM_SEGNO(sbi, segno); array[i].next_segno = NULL_SEGNO; |