[31551] in CVS-changelog-for-Kerberos-V5
krb5 commit: Fix DB2 hash bitmap page count validation
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Mon Jun 22 17:43:13 2026
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20260622214307.D2F701055B0@krbdev.mit.edu>
Date: Mon, 22 Jun 2026 17:43:07 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/1e12220dc3609cfbe0b9662a8fa8b18143fa3e7f
commit 1e12220dc3609cfbe0b9662a8fa8b18143fa3e7f
Author: Bogdan Boguslavskij <bogdanb@altlinux.org>
Date: Wed May 20 17:07:20 2026 +0300
Fix DB2 hash bitmap page count validation
In __kdb2_hash_open(), bpages is computed from the hash file header
and then used as the size argument when clearing hashp->mapp. The
mapp array has only NCACHED entries, so a malformed hash database can
cause memset() to write past the end of the array. Return EFTYPE if
the computed bitmap page count is negative or greater then NCACHED.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
ticket: 9215
src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c
index 7c3e951aa..f90aae0f9 100644
--- a/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ b/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -170,6 +170,9 @@ __kdb2_hash_open(const char *file, int flags, int mode, const HASHINFO *info,
(hashp->hdr.bsize << BYTE_SHIFT) - 1) >>
(hashp->hdr.bshift + BYTE_SHIFT);
+ if (bpages > NCACHED || bpages < 0)
+ RETURN_ERROR(EFTYPE, error1);
+
hashp->nmaps = bpages;
(void)memset(&hashp->mapp[0], 0, bpages * sizeof(u_int32_t *));
}
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
