diff options
author | Raphael S. Carvalho <raphaelsc@cloudius-systems.com> | 2014-10-08 21:46:07 -0300 |
---|---|---|
committer | Karel Zak <kzak@redhat.com> | 2014-10-24 11:10:06 +0200 |
commit | 0d5bf499358959103ffab4f6bcd57a80156e0bf3 (patch) | |
tree | 883b7f77901a80ea4075fca33d441fe89711de6b | |
parent | ee6d6fcdf78b909a9bd67fc41fc79f8c266ff981 (diff) | |
download | util-linux-0d5bf499358959103ffab4f6bcd57a80156e0bf3.tar.gz |
blkdiscard: fix underflow when offset is greater than device size
If offset (range[0]) is greater than device size (blksize), the variable 'end'
will be greater than blksize, and range[1] (length) will be recalculated.
The underflow happens when subtracting range[0] (offset) from blksize, thus
range[1] will be the result of an underflow. The bug leads to unwanted behavior
from the program, where range[1] is likely to be a high number and then will
discard a considerable amount of blocks from the device. The fix consists of
exitting the program with an error message when the condition stated above is
true. Spotted while auditing the code.
Signed-off-by: Raphael S. Carvalho <raphaelsc@cloudius-systems.com>
-rw-r--r-- | sys-utils/blkdiscard.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sys-utils/blkdiscard.c b/sys-utils/blkdiscard.c index 2ddcdb1b4..2f22af724 100644 --- a/sys-utils/blkdiscard.c +++ b/sys-utils/blkdiscard.c @@ -149,6 +149,8 @@ int main(int argc, char **argv) range[1] &= ~(secsize - 1); /* is the range end behind the end of the device ?*/ + if (range[0] > blksize) + err(EXIT_FAILURE, _("%s: offset is greater than device size"), path); end = range[0] + range[1]; if (end < range[0] || end > blksize) range[1] = blksize - range[0]; |