Skip to content
Snippets Groups Projects
Commit 695d0668 authored by Luca Weiss's avatar Luca Weiss Committed by Bjorn Andersson
Browse files

storage: fix out of bounds read 


Given that shadow_len is size_t (unsigned integer), subtracting a number
from it will make it wrap around < 0 and become positive again so the
subsequent "if (n > 0)" check will be mostly useless. On AOSP this makes
rmtfs segfault, on Linux distributions rmtfs happily reads beyond the
end of the buf.

Fix this by casting both parameters to ssize_t (which is signed) to
correctly use the if and not read beyond the end of shadow_buf.

Relevant trace using extra debug statements:
  storage_populate_shadow_buf: file=/dev/disk/by-partlabel/fsg shadow_buf=0xffffa5217060 shadow_len=0x280000
  <snip>
  storage_pread: memcpy shadow_buf=0xffffa5217060 offset=0x27fc00 n=0x200
  storage_pread: memcpy shadow_buf=0xffffa5217060 offset=0x27fe00 n=0x200
  storage_pread: memcpy shadow_buf=0xffffa5217060 offset=0x280000 n=0x0 - don't read!
  storage_pread: memcpy shadow_buf=0xffffa5217060 offset=0x280200 n=0x200
  storage_pread: memcpy shadow_buf=0xffffa5217060 offset=0x280400 n=0x200
  storage_pread: memcpy shadow_buf=0xffffa5217060 offset=0x280600 n=0x200
  storage_pread: memcpy shadow_buf=0xffffa5217060 offset=0x280800 n=0x200
  <snip>

Signed-off-by: default avatarLuca Weiss <luca.weiss@fairphone.com>
parent b08ef6f9
Hide whitespace changes
Inline Side-by-side
Showing
with 1 addition and 1 deletion
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Request access to https://git.abscue.de/access-request after logging in to apply for project creation rights.