From owner-svn-src-all@FreeBSD.ORG Tue Dec 16 18:45:32 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AE15A10C; Tue, 16 Dec 2014 18:45:32 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7F41BADC; Tue, 16 Dec 2014 18:45:32 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sBGIjWnF039999; Tue, 16 Dec 2014 18:45:32 GMT (envelope-from pfg@FreeBSD.org) Received: (from pfg@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id sBGIjWX6039998; Tue, 16 Dec 2014 18:45:32 GMT (envelope-from pfg@FreeBSD.org) Message-Id: <201412161845.sBGIjWX6039998@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: pfg set sender to pfg@FreeBSD.org using -f From: "Pedro F. Giffuni" Date: Tue, 16 Dec 2014 18:45:32 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r275834 - stable/10/sys/fs/ext2fs X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Dec 2014 18:45:32 -0000 Author: pfg Date: Tue Dec 16 18:45:31 2014 New Revision: 275834 URL: https://svnweb.freebsd.org/changeset/base/275834 Log: MFC r275645; ext2fs: Fix old out-of-bounds access. Overrunning buffer pointed to by (caddr_t)&oip->i_db[0] of 48 bytes by passing it to a function which accesses it at byte offset 59 using argument 60UL. The issue was inherited from an older FFS implementation and fixed there with by merging UFS2 in r98542. We follow the FFS fix. CID: 1007665 Discussed with: bde Modified: stable/10/sys/fs/ext2fs/ext2_inode.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/fs/ext2fs/ext2_inode.c ============================================================================== --- stable/10/sys/fs/ext2fs/ext2_inode.c Tue Dec 16 18:28:33 2014 (r275833) +++ stable/10/sys/fs/ext2fs/ext2_inode.c Tue Dec 16 18:45:31 2014 (r275834) @@ -224,14 +224,18 @@ ext2_truncate(struct vnode *vp, off_t le * will be returned to the free list. lastiblock values are also * normalized to -1 for calls to ext2_indirtrunc below. */ - bcopy((caddr_t)&oip->i_db[0], (caddr_t)oldblks, sizeof(oldblks)); - for (level = TRIPLE; level >= SINGLE; level--) + for (level = TRIPLE; level >= SINGLE; level--) { + oldblks[NDADDR + level] = oip->i_ib[level]; if (lastiblock[level] < 0) { oip->i_ib[level] = 0; lastiblock[level] = -1; } - for (i = NDADDR - 1; i > lastblock; i--) - oip->i_db[i] = 0; + } + for (i = 0; i < NDADDR; i++) { + oldblks[i] = oip->i_db[i]; + if (i > lastblock) + oip->i_db[i] = 0; + } oip->i_flag |= IN_CHANGE | IN_UPDATE; allerror = ext2_update(ovp, !DOINGASYNC(ovp)); @@ -241,8 +245,14 @@ ext2_truncate(struct vnode *vp, off_t le * Note that we save the new block configuration so we can check it * when we are done. */ - bcopy((caddr_t)&oip->i_db[0], (caddr_t)newblks, sizeof(newblks)); - bcopy((caddr_t)oldblks, (caddr_t)&oip->i_db[0], sizeof(oldblks)); + for (i = 0; i < NDADDR; i++) { + newblks[i] = oip->i_db[i]; + oip->i_db[i] = oldblks[i]; + } + for (i = 0; i < NIADDR; i++) { + newblks[NDADDR + i] = oip->i_ib[i]; + oip->i_ib[i] = oldblks[NDADDR + i]; + } oip->i_size = osize; error = vtruncbuf(ovp, cred, length, (int)fs->e2fs_bsize); if (error && (allerror == 0))