Commit 4a489450 authored Jun 16, 2020 by Haoran.Wang

fsmgr: fix integer overflow in fs_mgr



As the EXT4_MAX_BLOCK_SIZE defined as 65536 which reached maxium value
of unsigned int. The superblock value maybe larger than 65536. This is
found by the Integer Overflow Sanitizer.

This patch fixed below boot error when userdata is corrupted:
init: processing action (fs) from
(/vendor/etc/init/hw/init.freescale.rc:221)
init: [libfs_mgr]Invalid ext4 superblock on '/dev/block/by-name/userdata'
init: InitFatalReboot: signal 6 init: #00 pc 00000000000af7e8  /system/bin/init
(android::init::InitFatalReboot(int)+208) init: #1 pc 00000000000afbd0  /system/bin/init
(android::init::InstallRebootSignalHandlers()::$_22::__invoke(int)+32)
init: #2 pc 00000000000006bc  [vdso:0000ffff9691b000] (__kernel_rt_sigreturn)
init: #3 pc 000000000004e070  /system/lib64/bootstrap/libc.so (abort+176)
init: #4 pc 000000000003427c  /system/lib64/libfs_mgr.so
(read_ext4_superblock(std::__1::basic_string<char, std::__1::char_
traits<char>, std::__1::allocator<char> > const&,
android::fs_mgr::FstabEntry const&, ext4_super_block*, int*)+1804)

Test: boot with corrupted ext4 superblock

Change-Id: I58ed723afa9975d0e93f96fad7c55465e68b3edd
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>

parent 53122b14

fs_mgr/fs_mgr.cpp

+1 −1

Original line number	Diff line number	Diff line
		@@ -331,7 +331,7 @@ static bool read_ext4_superblock(const std::string& blk_device, const FstabEntry
		// try backup superblock, if main superblock is corrupted
		for (unsigned int blocksize = EXT4_MIN_BLOCK_SIZE; blocksize <= EXT4_MAX_BLOCK_SIZE;
		blocksize *= 2) {
		unsigned int superblock = blocksize * 8;
		uint64_t superblock = blocksize * 8;
		if (blocksize == EXT4_MIN_BLOCK_SIZE) superblock++;

		if (TEMP_FAILURE_RETRY(pread(fd, sb, sizeof(sb), superblock blocksize)) !=