fs: hfs: Possible issue with increment of extent

From: Colin Ian King
Date: Fri Aug 31 2018 - 09:39:16 EST

Next message: Radu Pirea: "[RESEND PATCH v11 0/6] Driver for at91 usart in spi mode"
Previous message: Willem de Bruijn: "Re: [PATCH net-next 1/3] net: rework SIOCGSTAMP ioctl handling"
Next in thread: Al Viro: "Re: fs: hfs: Possible issue with increment of extent"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Static analysis has picked up a potential issue with an out of bounds
read in fs/hfs/extent.c; the following for-loop in hfs_free_fork()
increments i and also extent while also reading extent[i].count. This
looks incorrect to me, I think the increment of extent is not needed:

for (i = 0; i < 3; extent++, i++)
blocks += be16_to_cpu(extent[i].count);

res = hfs_free_extents(sb, extent, blocks, blocks);

I'm not familiar enough with the code to conclude that removing the
increment of extent is necessary a correct fix just in case I'm missing
something subtle here.

This issue was picked up by static analysis with CoverityScan:

CID 711541 (#1 of 1): Out-of-bounds read:
Overrunning array of 3 4-byte elements at element index 4 (byte offset
16) by dereferencing pointer extent + i.

Colin

Next message: Radu Pirea: "[RESEND PATCH v11 0/6] Driver for at91 usart in spi mode"
Previous message: Willem de Bruijn: "Re: [PATCH net-next 1/3] net: rework SIOCGSTAMP ioctl handling"
Next in thread: Al Viro: "Re: fs: hfs: Possible issue with increment of extent"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]