From: Theodore Ts'o <tytso@mit.edu>
Date: Fri, 20 Mar 2020 19:24:18 +0000 (-0400)
Subject: libext2fs: fix the {set_get}_bitmap_range functions when bitmap->start > 7
X-Git-Tag: v1.45.6~14
X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=23c6ef3de362aa291a15cc21a8a82a534a785fde;p=tools%2Fe2fsprogs.git

libext2fs: fix the {set_get}_bitmap_range functions when bitmap->start > 7

The bitmap array's set/get bitmap_range functions were not subtracting
out bitmap->start.  This doesn't matter for normal file systems, since
the bitmap->start is zero or one, and the passed-in starting range is
a multiple of eight, and the starting range is then divided by 8.

But with a non-standard/fuzzed file system, bitmap->start could be
significantly larger, and this could then lead to a array out of
bounds memory reference.

Google-Bug-Id: 147849134
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---

diff --git a/lib/ext2fs/gen_bitmap.c b/lib/ext2fs/gen_bitmap.c
index c94c21b..1536d4b 100644
--- a/lib/ext2fs/gen_bitmap.c
+++ b/lib/ext2fs/gen_bitmap.c
@@ -418,7 +418,7 @@ errcode_t ext2fs_get_generic_bitmap_range(ext2fs_generic_bitmap gen_bmap,
 	if ((start < bmap->start) || (start+num-1 > bmap->real_end))
 		return EXT2_ET_INVALID_ARGUMENT;
 
-	memcpy(out, bmap->bitmap + (start >> 3), (num+7) >> 3);
+	memcpy(out, bmap->bitmap + ((start - bmap->start) >> 3), (num+7) >> 3);
 	return 0;
 }
 
@@ -435,7 +435,7 @@ errcode_t ext2fs_set_generic_bitmap_range(ext2fs_generic_bitmap gen_bmap,
 	if ((start < bmap->start) || (start+num-1 > bmap->real_end))
 		return EXT2_ET_INVALID_ARGUMENT;
 
-	memcpy(bmap->bitmap + (start >> 3), in, (num+7) >> 3);
+	memcpy(bmap->bitmap + ((start - bmap->start) >> 3), in, (num+7) >> 3);
 	return 0;
 }