Date: Wed, 17 Dec 2014 14:50:58 +0000 (UTC) From: "Pedro F. Giffuni" <pfg@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r275863 - stable/9/sys/fs/ext2fs Message-ID: <201412171450.sBHEow8m026158@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: pfg Date: Wed Dec 17 14:50:57 2014 New Revision: 275863 URL: https://svnweb.freebsd.org/changeset/base/275863 Log: MFC r275645; ext2fs: Fix old out-of-bounds access. Overrunning buffer pointed to by (caddr_t)&oip->i_db[0] of 48 bytes by passing it to a function which accesses it at byte offset 59 using argument 60UL. The issue was inherited from an older FFS implementation and fixed there with by merging UFS2 in r98542. We follow the FFS fix. CID: 1007665 Discussed with: bde Modified: stable/9/sys/fs/ext2fs/ext2_inode.c Directory Properties: stable/9/sys/ (props changed) stable/9/sys/fs/ (props changed) Modified: stable/9/sys/fs/ext2fs/ext2_inode.c ============================================================================== --- stable/9/sys/fs/ext2fs/ext2_inode.c Wed Dec 17 14:46:21 2014 (r275862) +++ stable/9/sys/fs/ext2fs/ext2_inode.c Wed Dec 17 14:50:57 2014 (r275863) @@ -223,14 +223,18 @@ ext2_truncate(struct vnode *vp, off_t le * will be returned to the free list. lastiblock values are also * normalized to -1 for calls to ext2_indirtrunc below. */ - bcopy((caddr_t)&oip->i_db[0], (caddr_t)oldblks, sizeof(oldblks)); - for (level = TRIPLE; level >= SINGLE; level--) + for (level = TRIPLE; level >= SINGLE; level--) { + oldblks[NDADDR + level] = oip->i_ib[level]; if (lastiblock[level] < 0) { oip->i_ib[level] = 0; lastiblock[level] = -1; } - for (i = NDADDR - 1; i > lastblock; i--) - oip->i_db[i] = 0; + } + for (i = 0; i < NDADDR; i++) { + oldblks[i] = oip->i_db[i]; + if (i > lastblock) + oip->i_db[i] = 0; + } oip->i_flag |= IN_CHANGE | IN_UPDATE; allerror = ext2_update(ovp, !DOINGASYNC(ovp)); @@ -240,8 +244,14 @@ ext2_truncate(struct vnode *vp, off_t le * Note that we save the new block configuration so we can check it * when we are done. */ - bcopy((caddr_t)&oip->i_db[0], (caddr_t)newblks, sizeof(newblks)); - bcopy((caddr_t)oldblks, (caddr_t)&oip->i_db[0], sizeof(oldblks)); + for (i = 0; i < NDADDR; i++) { + newblks[i] = oip->i_db[i]; + oip->i_db[i] = oldblks[i]; + } + for (i = 0; i < NIADDR; i++) { + newblks[NDADDR + i] = oip->i_ib[i]; + oip->i_ib[i] = oldblks[NDADDR + i]; + } oip->i_size = osize; error = vtruncbuf(ovp, cred, td, length, (int)fs->e2fs_bsize); if (error && (allerror == 0))
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201412171450.sBHEow8m026158>