From nobody Wed Aug 6 13:50:46 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bxsBc0cV3z63kYm; Wed, 06 Aug 2025 13:50:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bxsBb3TdZz3nmZ; Wed, 06 Aug 2025 13:50:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1754488247; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Bv7LvXxPZGfq0W+9leqNkxm77wfjpgXYlIDL6q6YyuE=; b=eeM3SZRYQvpOWaxpJyKtJ/waA3LwAsLV3eraeBUwW7HtCujmte9oV06vxqr0mP76PMPQLe 4OdSpyQBfcUqyPtRZVCIWb2Y3RPREgjVhtxj6oac7J7gs4QwFiS2CuLe52K4KqAOEsohP5 417lU59cdU5Od3AxLvZ0DqYRDDgfJs76n1WgfLdhmlJgYsVOqHjEVzEpIUDSdCCC03IFpE D0GPfgToteSsQ3cOANM/I3DaCDr6gKSF44MoopfB0b9yhvprmhECtQJkvzRrI6Lc5CaJj3 3UbxjMYZGY+Cnkch7SBtPK7M1Tcsu1Hlya8O++vvp4CCIAGQJuAmrCVVapDJeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1754488247; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Bv7LvXxPZGfq0W+9leqNkxm77wfjpgXYlIDL6q6YyuE=; b=Nt9t5Hl8oliPyur34DAUiFxt0TuncwIFZ71vvlAj2qIkJJ9Yu1pXcAN0A3WbFmEfIrWuwY J7flHhiICyzQOm28Qp5v7R/M9VNlxXe9RYyrYczcVqoYNnqKKuK+iLZMLocs9eBBeOunYN 19XktQ1kbcqdCs4/7fpYWu1ZbB2NpayAo96vMbIuxt66YdGDi7Qpy5ps4BL9d2Db0Xx8Wd eL1kfqFokIHymx+sBQmri87Ezm6gB6SWw0/a6+VwU5/7eIuOoPa2Cv8qVJY4dt5cFmEgwT sbc07nNnr8moAa6Da+IvYQf1ukxkp1lwmvzD/dSmGpK2RFvvAewic18MAQ8XKg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1754488247; a=rsa-sha256; cv=none; b=D2cmwfXfzlOWD0l1zmjb2tTSSQeHz9+UcbR9isk59SFO23OGosO+51ijO7mqfOX2rV2kEZ 0QKbnfEX1UHQd+JDcgcH9wqPb+nBkt4+5Wy3Q2jKjPO0IBBqaNiNsskQbz0k2jAa11QAvd EGavP0UnwvyjMHVks0ImROQLOQ8v751U928hw7cdjo5vXY9RJun+bsDnqhp97XjxFczqSM Zz00K+44hvVqYnljWIvyFt1rqBaUpN8MBoPast/rqVkYdhplU9hHr2fZ3NCIckHUek3h6t 398Tk9dRMTZI234avIvJrzInyJzqQKjEzkbFkE1IKAqHJX0JeGOzOR7ItHKSCA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bxsBZ4LNHz7lq; Wed, 06 Aug 2025 13:50:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 576DokFx052462; Wed, 6 Aug 2025 13:50:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 576Dok1L052459; Wed, 6 Aug 2025 13:50:46 GMT (envelope-from git) Date: Wed, 6 Aug 2025 13:50:46 GMT Message-Id: <202508061350.576Dok1L052459@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= Subject: git: 3caee2a93f23 - main - hastd: Fix nv data size check List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 3caee2a93f235ebcfe3a8ec99eb2c3f3e5b0438f Auto-Submitted: auto-generated The branch main has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=3caee2a93f235ebcfe3a8ec99eb2c3f3e5b0438f commit 3caee2a93f235ebcfe3a8ec99eb2c3f3e5b0438f Author: Dag-Erling Smørgrav AuthorDate: 2025-08-06 13:49:37 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2025-08-06 13:49:37 +0000 hastd: Fix nv data size check The data size check, as currently written, can be defeated by providing a very large number that rounds up to 0, which will pass the check (because zero plus the size of the header and name is smaller than the size of the message) but cause a segfault later when used to index the data array. Rewrite the data size check to take rounding into account, and add a cast to ensure the name size can't round up to zero. MFC after: 1 week PR: 266827 Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D51615 --- sbin/hastd/nv.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/sbin/hastd/nv.c b/sbin/hastd/nv.c index 0730e4f2a794..16ab95cf0dc6 100644 --- a/sbin/hastd/nv.c +++ b/sbin/hastd/nv.c @@ -97,7 +97,7 @@ struct nvhdr { } __packed; #define NVH_DATA(nvh) ((unsigned char *)nvh + NVH_HSIZE(nvh)) #define NVH_HSIZE(nvh) \ - (sizeof(struct nvhdr) + roundup2((nvh)->nvh_namesize, 8)) + (sizeof(struct nvhdr) + roundup2((size_t)(nvh)->nvh_namesize, 8)) #define NVH_DSIZE(nvh) \ (((nvh)->nvh_type & NV_ORDER_MASK) == NV_ORDER_HOST ? \ (nvh)->nvh_dsize : \ @@ -247,11 +247,8 @@ nv_validate(struct nv *nv, size_t *extrap) break; } dsize = NVH_DSIZE(nvh); - if (dsize == 0) { - error = EINVAL; - break; - } - if (size < NVH_SIZE(nvh)) { + if (roundup2(dsize, 8) == 0 || + roundup2(dsize, 8) > size - NVH_HSIZE(nvh)) { error = EINVAL; break; }