svn commit: r275645 - head/sys/fs/ext2fs

Pedro F. Giffuni pfg at FreeBSD.org
Tue Dec 9 14:56:01 UTC 2014 

Author: pfg
Date: Tue Dec  9 14:56:00 2014
New Revision: 275645
URL: https://svnweb.freebsd.org/changeset/base/275645

Log:
  ext2fs: Fix old out-of-bounds access.
  
  Overrunning buffer pointed to by (caddr_t)&oip->i_db[0] of 48 bytes by
  passing it to a function which accesses it at byte offset 59 using
  argument 60UL.
  
  The issue was inherited from an older FFS implementation and
  fixed there with by merging UFS2 in r98542. We follow the
  FFS fix.
  
  Discussed with:	bde
  CID:		1007665
  MFC after:	3 days

Modified:
  head/sys/fs/ext2fs/ext2_inode.c

Modified: head/sys/fs/ext2fs/ext2_inode.c
==============================================================================
--- head/sys/fs/ext2fs/ext2_inode.c	Tue Dec  9 14:21:43 2014	(r275644)
+++ head/sys/fs/ext2fs/ext2_inode.c	Tue Dec  9 14:56:00 2014	(r275645)
@@ -224,14 +224,18 @@ ext2_truncate(struct vnode *vp, off_t le
 	 * will be returned to the free list.  lastiblock values are also
 	 * normalized to -1 for calls to ext2_indirtrunc below.
 	 */
-	bcopy((caddr_t)&oip->i_db[0], (caddr_t)oldblks, sizeof(oldblks));
-	for (level = TRIPLE; level >= SINGLE; level--)
+	for (level = TRIPLE; level >= SINGLE; level--) {
+		oldblks[NDADDR + level] = oip->i_ib[level];
 		if (lastiblock[level] < 0) {
 			oip->i_ib[level] = 0;
 			lastiblock[level] = -1;
 		}
-	for (i = NDADDR - 1; i > lastblock; i--)
-		oip->i_db[i] = 0;
+	}
+	for (i = 0; i < NDADDR; i++) {
+		oldblks[i] = oip->i_db[i];
+		if (i > lastblock)
+			oip->i_db[i] = 0;
+	}
 	oip->i_flag |= IN_CHANGE | IN_UPDATE;
 	allerror = ext2_update(ovp, !DOINGASYNC(ovp));
 
@@ -241,8 +245,14 @@ ext2_truncate(struct vnode *vp, off_t le
 	 * Note that we save the new block configuration so we can check it
 	 * when we are done.
 	 */
-	bcopy((caddr_t)&oip->i_db[0], (caddr_t)newblks, sizeof(newblks));
-	bcopy((caddr_t)oldblks, (caddr_t)&oip->i_db[0], sizeof(oldblks));
+	for (i = 0; i < NDADDR; i++) {
+		newblks[i] = oip->i_db[i];
+		oip->i_db[i] = oldblks[i];
+	}
+	for (i = 0; i < NIADDR; i++) {
+		newblks[NDADDR + i] = oip->i_ib[i];
+		oip->i_ib[i] = oldblks[NDADDR + i];
+	}
 	oip->i_size = osize;
 	error = vtruncbuf(ovp, cred, length, (int)fs->e2fs_bsize);
 	if (error && (allerror == 0))

More information about the svn-src-head mailing list