blkdiscard: fix underflow when offset is greater than device size

If offset (range[0]) is greater than device size (blksize), the variable 'end' will be greater than blksize, and range[1] (length) will be recalculated. The underflow happens when subtracting range[0] (offset) from blksize, thus range[1] will be the result of an underflow. The bug leads to unwanted behavior from the program, where range[1] is likely to be a high number and then will discard a considerable amount of blocks from the device. The fix consists of exitting the program with an error message when the condition stated above is true. Spotted while auditing the code. Signed-off-by: Raphael S. Carvalho <raphaelsc@cloudius-systems.com>
author: Raphael S. Carvalho <raphaelsc@cloudius-systems.com> 2014-10-08 21:46:07 -0300
committer: Karel Zak <kzak@redhat.com> 2014-10-24 11:10:06 +0200
commit: 0d5bf499358959103ffab4f6bcd57a80156e0bf3 (patch)
tree: 883b7f77901a80ea4075fca33d441fe89711de6b
parent: ee6d6fcdf78b909a9bd67fc41fc79f8c266ff981 (diff)
download: util-linux-0d5bf499358959103ffab4f6bcd57a80156e0bf3.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/sys-utils/blkdiscard.c b/sys-utils/blkdiscard.c
index 2ddcdb1b4..2f22af724 100644
--- a/sys-utils/blkdiscard.c
+++ b/sys-utils/blkdiscard.c
@@ -149,6 +149,8 @@ int main(int argc, char **argv)
 	range[1] &= ~(secsize - 1);
 
 	/* is the range end behind the end of the device ?*/
+	if (range[0] > blksize)
+		err(EXIT_FAILURE, _("%s: offset is greater than device size"), path);
 	end = range[0] + range[1];
 	if (end < range[0] || end > blksize)
 		range[1] = blksize - range[0];
author	Raphael S. Carvalho <raphaelsc@cloudius-systems.com>	2014-10-08 21:46:07 -0300
committer	Karel Zak <kzak@redhat.com>	2014-10-24 11:10:06 +0200
commit	0d5bf499358959103ffab4f6bcd57a80156e0bf3 (patch)
tree	883b7f77901a80ea4075fca33d441fe89711de6b
parent	ee6d6fcdf78b909a9bd67fc41fc79f8c266ff981 (diff)
download	util-linux-0d5bf499358959103ffab4f6bcd57a80156e0bf3.tar.gz