aboutsummaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorPedro F. Giffuni <pfg@FreeBSD.org>2014-12-09 14:56:00 +0000
committerPedro F. Giffuni <pfg@FreeBSD.org>2014-12-09 14:56:00 +0000
commit8f87059b41ff63d3334845257da0fb922e945392 (patch)
tree37d1ccaa8a5d4e9efe34d267f97689d81b576c7e /sys
parent469cb95ad61960530bbd8080c4300fb775d11df6 (diff)
downloadsrc-8f87059b41ff63d3334845257da0fb922e945392.tar.gz
src-8f87059b41ff63d3334845257da0fb922e945392.zip
ext2fs: Fix old out-of-bounds access.
Overrunning buffer pointed to by (caddr_t)&oip->i_db[0] of 48 bytes by passing it to a function which accesses it at byte offset 59 using argument 60UL. The issue was inherited from an older FFS implementation and fixed there with by merging UFS2 in r98542. We follow the FFS fix. Discussed with: bde CID: 1007665 MFC after: 3 days
Notes
Notes: svn path=/head/; revision=275645
Diffstat (limited to 'sys')
-rw-r--r--sys/fs/ext2fs/ext2_inode.c22
1 files changed, 16 insertions, 6 deletions
diff --git a/sys/fs/ext2fs/ext2_inode.c b/sys/fs/ext2fs/ext2_inode.c
index cb97c46e9b7e..43b0fc9d144b 100644
--- a/sys/fs/ext2fs/ext2_inode.c
+++ b/sys/fs/ext2fs/ext2_inode.c
@@ -224,14 +224,18 @@ ext2_truncate(struct vnode *vp, off_t length, int flags, struct ucred *cred,
* will be returned to the free list. lastiblock values are also
* normalized to -1 for calls to ext2_indirtrunc below.
*/
- bcopy((caddr_t)&oip->i_db[0], (caddr_t)oldblks, sizeof(oldblks));
- for (level = TRIPLE; level >= SINGLE; level--)
+ for (level = TRIPLE; level >= SINGLE; level--) {
+ oldblks[NDADDR + level] = oip->i_ib[level];
if (lastiblock[level] < 0) {
oip->i_ib[level] = 0;
lastiblock[level] = -1;
}
- for (i = NDADDR - 1; i > lastblock; i--)
- oip->i_db[i] = 0;
+ }
+ for (i = 0; i < NDADDR; i++) {
+ oldblks[i] = oip->i_db[i];
+ if (i > lastblock)
+ oip->i_db[i] = 0;
+ }
oip->i_flag |= IN_CHANGE | IN_UPDATE;
allerror = ext2_update(ovp, !DOINGASYNC(ovp));
@@ -241,8 +245,14 @@ ext2_truncate(struct vnode *vp, off_t length, int flags, struct ucred *cred,
* Note that we save the new block configuration so we can check it
* when we are done.
*/
- bcopy((caddr_t)&oip->i_db[0], (caddr_t)newblks, sizeof(newblks));
- bcopy((caddr_t)oldblks, (caddr_t)&oip->i_db[0], sizeof(oldblks));
+ for (i = 0; i < NDADDR; i++) {
+ newblks[i] = oip->i_db[i];
+ oip->i_db[i] = oldblks[i];
+ }
+ for (i = 0; i < NIADDR; i++) {
+ newblks[NDADDR + i] = oip->i_ib[i];
+ oip->i_ib[i] = oldblks[NDADDR + i];
+ }
oip->i_size = osize;
error = vtruncbuf(ovp, cred, length, (int)fs->e2fs_bsize);
if (error && (allerror == 0))