>From 466965a048cea8aecd6cf5691ffe58aa04cbebb2 Mon Sep 17 00:00:00 2001 From: Bogdan Boguslavskij Date: Wed, 20 May 2026 17:07:20 +0300 Subject: [PATCH] Fix DB2 hash bitmap page count validation In __kdb2_hash_open(), bpages is computed from the hash file header and then used as the size argument when clearing hashp->mapp. The mapp array has only NCACHED entries, so a malformed hash database can cause memset() to write past the end of the array. Return EFTYPE if the computed bitmap page count is negative or greater then NCACHED. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Bogdan Boguslavskij --- krb5/src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/krb5/src/plugins/kdb/db2/libdb2/hash/hash.c b/krb5/src/plugins/kdb/db2/libdb2/hash/hash.c index 862dbb164..6431b904c 100644 --- a/krb5/src/plugins/kdb/db2/libdb2/hash/hash.c +++ b/krb5/src/plugins/kdb/db2/libdb2/hash/hash.c @@ -172,6 +172,9 @@ __kdb2_hash_open(file, flags, mode, info, dflags) (hashp->hdr.bsize << BYTE_SHIFT) - 1) >> (hashp->hdr.bshift + BYTE_SHIFT); + if (bpages > NCACHED || bpages < 0) + RETURN_ERROR(EFTYPE, error1); + hashp->nmaps = bpages; (void)memset(&hashp->mapp[0], 0, bpages * sizeof(u_int32_t *)); } -- 2.50.1