[U-Boot] [PATCH v3 10/13] ext4: Avoid out-of-bounds access of block bitmap

[Lukasz Majewski]

Hi Stefan,

> If the blocksize is 1024, count is initialized with 1. Incrementing
> count by 8 will never match (count == fs->blksz * 8), and ptr may be
> incremented beyond the buffer end if the bitmap is filled. Add the
> startblock offset after the loop.
> 
> Remove the second loop, as only the first iteration will be done.
> 
> Signed-off-by: Stefan Brüns <stefan.bruens at rwth-aachen.de>
> ---
>  fs/ext4/ext4_common.c | 34 ++++++++++++----------------------
>  1 file changed, 12 insertions(+), 22 deletions(-)
> 
> v3: Patch added to series
> 
> diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c
> index 362668b..11da6fa 100644
> --- a/fs/ext4/ext4_common.c
> +++ b/fs/ext4/ext4_common.c
> @@ -158,18 +158,12 @@ static int _get_new_inode_no(unsigned char
> *buffer) 
>  static int _get_new_blk_no(unsigned char *buffer)
>  {
> -	unsigned char input;
> -	int operand, status;
> +	int operand;
>  	int count = 0;
> -	int j = 0;
> +	int i;
>  	unsigned char *ptr = buffer;
>  	struct ext_filesystem *fs = get_fs();
>  
> -	if (fs->blksz != 1024)
> -		count = 0;
> -	else
> -		count = 1;
> -
>  	while (*ptr == 255) {
>  		ptr++;
>  		count += 8;
> @@ -177,21 +171,17 @@ static int _get_new_blk_no(unsigned char
> *buffer) return -1;
>  	}
>  
> -	for (j = 0; j < fs->blksz; j++) {
> -		input = *ptr;
> -		int i = 0;
> -		while (i <= 7) {
> -			operand = 1 << i;
> -			status = input & operand;
> -			if (status) {
> -				i++;
> -				count++;
> -			} else {
> -				*ptr |= operand;
> -				return count;
> -			}
> +	if (fs->blksz == 1024)
> +		count += 1;
> +
> +	for (i = 0; i <= 7; i++) {
> +		operand = 1 << i;
> +		if (*ptr & operand) {
> +			count++;
> +		} else {
> +			*ptr |= operand;
> +			return count;
>  		}
> -		ptr = ptr + 1;
>  	}
>  
>  	return -1;

Reviewed-by: Lukasz Majewski <l.majewski at samsung.com> 

-- 
Best regards,

Lukasz Majewski

Samsung R&D Institute Poland (SRPOL) | Linux Platform Group