diff mbox series

e2image: fix overflow in l2 table processing

Message ID 20210422052448.29802-1-artem.blagodarenko@gmail.com
State Accepted
Headers show
Series e2image: fix overflow in l2 table processing | expand

Commit Message

Artem Blagodarenko April 22, 2021, 5:24 a.m. UTC 
For a large partition during e2image capture process
it is possible to overflow offset at multiply operation.
This leads to the situation when data is written to the
position at the start of the image instead of the image end.

Let's use the right cast to avoid integer overflow.

Signed-off-by: Alexey Lyashkov <c17817@cray.com>
Signed-off-by: Artem Blagodarenko <c17828@cray.com>
HPE-bug-id: LUS-9368
---
 lib/ext2fs/qcow2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Theodore Ts'o May 7, 2021, 10:49 p.m. UTC | #1 
On Thu, Apr 22, 2021 at 01:24:48AM -0400, Artem Blagodarenko wrote:
> For a large partition during e2image capture process
> it is possible to overflow offset at multiply operation.
> This leads to the situation when data is written to the
> position at the start of the image instead of the image end.
> 
> Let's use the right cast to avoid integer overflow.
> 
> Signed-off-by: Alexey Lyashkov <c17817@cray.com>
> Signed-off-by: Artem Blagodarenko <c17828@cray.com>
> HPE-bug-id: LUS-9368

Thanks, applied.

					- Ted
diff mbox series

Patch

diff --git a/lib/ext2fs/qcow2.c b/lib/ext2fs/qcow2.c
index ee701f7a..20824170 100644
--- a/lib/ext2fs/qcow2.c
+++ b/lib/ext2fs/qcow2.c
@@ -238,7 +238,7 @@  int qcow2_write_raw_image(int qcow2_fd, int raw_fd,
 			if (offset == 0)
 				continue;
 
-			off_out = (l1_index * img.l2_size) +
+			off_out = ((__u64)l1_index * img.l2_size) +
 				  l2_index;
 			off_out <<= img.cluster_bits;
 			ret = qcow2_copy_data(qcow2_fd, raw_fd, offset,