Date: Wed, 21 Dec 2022 01:18:29 GMT From: Zhenlei Huang <zlei@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 2e543af13ab3 - main - geom_part: Fix potential integer overflow when checking size of the table Message-ID: <202212210118.2BL1ITsW080192@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by zlei: URL: https://cgit.FreeBSD.org/src/commit/?id=2e543af13ab3746c7626c53293c007c8747eff9d commit 2e543af13ab3746c7626c53293c007c8747eff9d Author: Zhenlei Huang <zlei@FreeBSD.org> AuthorDate: 2022-12-21 01:04:30 +0000 Commit: Zhenlei Huang <zlei@FreeBSD.org> CommitDate: 2022-12-21 01:04:30 +0000 geom_part: Fix potential integer overflow when checking size of the table `hdr_entries` and `hdr_entsz` are both uint32_t as defined in UEFI spec. Current spec does not have upper limit of the number of partition entries and the size of partition entry, it is potential that malicious or corrupted GPT header read from untrusted source contains large size of entry number or size. PR: 266548 Reviewed by: oshogbo, cem, imp, markj Approved by: kp (mentor) MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D36709 --- sys/geom/part/g_part_gpt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/geom/part/g_part_gpt.c b/sys/geom/part/g_part_gpt.c index cd04fe714fbe..e0c477f467b4 100644 --- a/sys/geom/part/g_part_gpt.c +++ b/sys/geom/part/g_part_gpt.c @@ -515,7 +515,8 @@ gpt_read_hdr(struct g_part_gpt_table *table, struct g_consumer *cp, hdr->hdr_lba_table <= hdr->hdr_lba_end) goto fail; lba = hdr->hdr_lba_table + - howmany(hdr->hdr_entries * hdr->hdr_entsz, pp->sectorsize) - 1; + howmany((uint64_t)hdr->hdr_entries * hdr->hdr_entsz, + pp->sectorsize) - 1; if (lba >= last) goto fail; if (lba >= hdr->hdr_lba_start && lba <= hdr->hdr_lba_end)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202212210118.2BL1ITsW080192>