Tobias Stoeckmann wrote this message on Tue, Jun 17, 2014 at 00:05 +0200: > there is a potential off by one in function fillinusemap() leading to > possible out of boundary access (32 bytes after allocated area). > > pmp->pm_inusemap is allocated in msdosfs_vfsops.c like this: > > bmapsiz = (pmp->pm_maxcluster + N_INUSEBITS - 1) / N_INUSEBITS; > pmp->pm_inusemap = malloc(bmapsiz * sizeof(*pmp->pm_inusemap), > M_MSDOSFSFAT, M_WAITOK | M_CANFAIL); > > and accessed in msdosfs_fat.c like this: > > for (cn = 0; cn < (pmp->pm_maxcluster + N_INUSEBITS) / N_INUSEBITS; cn++) > > Assignment of bmapsiz and for-condition should be equal, and actually > resemble a resolved version of howmany macro (hint to my howmany mail ;)). > Unfortunately "- 1" is missing in for-loop. This _can_ lead to out of > boundary access, depending on actual pmp->pm_maxcluster value.
FreeBSD fixed this by increasing the malloc size: https://svnweb.freebsd.org/changeset/base/r126086 -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."