Date: Tue, 16 Dec 2014 18:45:32 +0000 (UTC) From: "Pedro F. Giffuni" <pfg@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r275834 - stable/10/sys/fs/ext2fs Message-ID: <201412161845.sBGIjWX6039998@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: pfg Date: Tue Dec 16 18:45:31 2014 New Revision: 275834 URL: https://svnweb.freebsd.org/changeset/base/275834 Log: MFC r275645; ext2fs: Fix old out-of-bounds access. Overrunning buffer pointed to by (caddr_t)&oip->i_db[0] of 48 bytes by passing it to a function which accesses it at byte offset 59 using argument 60UL. The issue was inherited from an older FFS implementation and fixed there with by merging UFS2 in r98542. We follow the FFS fix. CID: 1007665 Discussed with: bde Modified: stable/10/sys/fs/ext2fs/ext2_inode.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/fs/ext2fs/ext2_inode.c ============================================================================== --- stable/10/sys/fs/ext2fs/ext2_inode.c Tue Dec 16 18:28:33 2014 (r275833) +++ stable/10/sys/fs/ext2fs/ext2_inode.c Tue Dec 16 18:45:31 2014 (r275834) @@ -224,14 +224,18 @@ ext2_truncate(struct vnode *vp, off_t le * will be returned to the free list. lastiblock values are also * normalized to -1 for calls to ext2_indirtrunc below. */ - bcopy((caddr_t)&oip->i_db[0], (caddr_t)oldblks, sizeof(oldblks)); - for (level = TRIPLE; level >= SINGLE; level--) + for (level = TRIPLE; level >= SINGLE; level--) { + oldblks[NDADDR + level] = oip->i_ib[level]; if (lastiblock[level] < 0) { oip->i_ib[level] = 0; lastiblock[level] = -1; } - for (i = NDADDR - 1; i > lastblock; i--) - oip->i_db[i] = 0; + } + for (i = 0; i < NDADDR; i++) { + oldblks[i] = oip->i_db[i]; + if (i > lastblock) + oip->i_db[i] = 0; + } oip->i_flag |= IN_CHANGE | IN_UPDATE; allerror = ext2_update(ovp, !DOINGASYNC(ovp)); @@ -241,8 +245,14 @@ ext2_truncate(struct vnode *vp, off_t le * Note that we save the new block configuration so we can check it * when we are done. */ - bcopy((caddr_t)&oip->i_db[0], (caddr_t)newblks, sizeof(newblks)); - bcopy((caddr_t)oldblks, (caddr_t)&oip->i_db[0], sizeof(oldblks)); + for (i = 0; i < NDADDR; i++) { + newblks[i] = oip->i_db[i]; + oip->i_db[i] = oldblks[i]; + } + for (i = 0; i < NIADDR; i++) { + newblks[NDADDR + i] = oip->i_ib[i]; + oip->i_ib[i] = oldblks[NDADDR + i]; + } oip->i_size = osize; error = vtruncbuf(ovp, cred, length, (int)fs->e2fs_bsize); if (error && (allerror == 0))
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201412161845.sBGIjWX6039998>