From nobody Thu Aug 14 16:03:15 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4c2qll6XQJz64g5p; Thu, 14 Aug 2025 16:03:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4c2qll3ldzz3JxM; Thu, 14 Aug 2025 16:03:15 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1755187395; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Y5PeW8U8XtUt4gqXsb/mBZUnUWituqV7NwOVe9WXxCs=; b=S+/zjTO+A/3wZMzYgC+H3MfbjzUDQqrnm+C+T75fc/DDgmz+KJz96Xu/dEeQW3ZKKEsgbP gjRf+dmvHbBcArt2vyciVl9uIB/rL7zthRulvyWCbal3JmRUyU+rcaJcpi9eZNNvjgaHkJ wRUD+J5ub0223Z+otsRyvkdrDJdN7PI0OcyUo+c8IxiNM012g89ps2YKdPvsZNhFZ9VMTC 4GAdduIo7udtLOv09DSAsejp44HipwZAtYV1ox5krt8cPym0/QV9cR9KL9QUVPtwtIK19/ CwdIMqS0oxrpS/Gry5gcKRv1M7U/4EmVQYtxTr5c+PASA6QsQMjZnspcqYDMNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1755187395; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Y5PeW8U8XtUt4gqXsb/mBZUnUWituqV7NwOVe9WXxCs=; b=VY1FZPBNKjqDDIkSDu/RKBeG+Pt7UCwMBlR5Hij6y5PW+sHeznNpxmrhu2JWlI9HvJudN0 +bQs7v1oGaX0I1D57BjqUbKBsTm4vOntIMyFEnZthAA6/0qpaPQ/Yyw0Nb9e3e/d///Ijf B/lJVx/i0IHlFarYsY1EdJKhP7123W2nS67m26NMqjFbeXt75/iRBjww2Ut/3tAtyf6ky/ 6jBinMlkP0+qanB6aCC9r5MIzH5ssLqXlVEwm8crtdX2rrlqWsyMaoabV2Jo/+jC5Rm5pQ Xabsr+p9j/7d45YRASy3W/SExRpT8f5YuITaj/spuOBrXzPa8GjCuKliG5G4BA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1755187395; a=rsa-sha256; cv=none; b=VFgj6LsJyWJ92NoUAW0JxauMTyTTsykFJ/7hOS4+kMk+nTlaxCnuDKOXhA+sv8z13ccOC/ vOX6l/CDedhz7acMggrWGaaVRqodzSSBqNXwRg027nPn8cGiHbiWqs6OaUny+Gud4qanWA NOvOnmRNkkjvm2wBnRRRX4jD4TLUHo16oBHKab2TYGg0G4Mi4ZAUpSHqncJS7X1kXzD+L0 uTNt210lhtotzhnWx9185jIyWCeUKxC6QA+A66eyPkTFx2W7zYD6DPulYDVALxAkQByhHJ TuIk0Zwp2VDU5c9Eh2tTJpj1o/GEQyKEQ9GfT45NL9HM61JJLO/CV/eNwKlJNQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4c2qll3MHNz10rT; Thu, 14 Aug 2025 16:03:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 57EG3FQF080020; Thu, 14 Aug 2025 16:03:15 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 57EG3FLC080012; Thu, 14 Aug 2025 16:03:15 GMT (envelope-from git) Date: Thu, 14 Aug 2025 16:03:15 GMT Message-Id: <202508141603.57EG3FLC080012@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= Subject: git: ebd7ad28151b - stable/13 - hastd: Fix nv data size check List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: ebd7ad28151b4e97f469aac94388a7ffbf4f3ab0 Auto-Submitted: auto-generated The branch stable/13 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=ebd7ad28151b4e97f469aac94388a7ffbf4f3ab0 commit ebd7ad28151b4e97f469aac94388a7ffbf4f3ab0 Author: Dag-Erling Smørgrav AuthorDate: 2025-08-06 13:49:37 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2025-08-14 14:00:06 +0000 hastd: Fix nv data size check The data size check, as currently written, can be defeated by providing a very large number that rounds up to 0, which will pass the check (because zero plus the size of the header and name is smaller than the size of the message) but cause a segfault later when used to index the data array. Rewrite the data size check to take rounding into account, and add a cast to ensure the name size can't round up to zero. MFC after: 1 week PR: 266827 Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D51615 (cherry picked from commit 3caee2a93f235ebcfe3a8ec99eb2c3f3e5b0438f) --- sbin/hastd/nv.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/sbin/hastd/nv.c b/sbin/hastd/nv.c index fd6b56c1148d..4e50d0026e7b 100644 --- a/sbin/hastd/nv.c +++ b/sbin/hastd/nv.c @@ -98,7 +98,7 @@ struct nvhdr { } __packed; #define NVH_DATA(nvh) ((unsigned char *)nvh + NVH_HSIZE(nvh)) #define NVH_HSIZE(nvh) \ - (sizeof(struct nvhdr) + roundup2((nvh)->nvh_namesize, 8)) + (sizeof(struct nvhdr) + roundup2((size_t)(nvh)->nvh_namesize, 8)) #define NVH_DSIZE(nvh) \ (((nvh)->nvh_type & NV_ORDER_MASK) == NV_ORDER_HOST ? \ (nvh)->nvh_dsize : \ @@ -248,11 +248,8 @@ nv_validate(struct nv *nv, size_t *extrap) break; } dsize = NVH_DSIZE(nvh); - if (dsize == 0) { - error = EINVAL; - break; - } - if (size < NVH_SIZE(nvh)) { + if (roundup2(dsize, 8) == 0 || + roundup2(dsize, 8) > size - NVH_HSIZE(nvh)) { error = EINVAL; break; }