From owner-svn-src-stable@freebsd.org Fri May 13 08:54:09 2016 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B88E1B3914F; Fri, 13 May 2016 08:54:09 +0000 (UTC) (envelope-from ngie@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7010C16BA; Fri, 13 May 2016 08:54:09 +0000 (UTC) (envelope-from ngie@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u4D8s8m8071516; Fri, 13 May 2016 08:54:08 GMT (envelope-from ngie@FreeBSD.org) Received: (from ngie@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u4D8s8Zl071515; Fri, 13 May 2016 08:54:08 GMT (envelope-from ngie@FreeBSD.org) Message-Id: <201605130854.u4D8s8Zl071515@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ngie set sender to ngie@FreeBSD.org using -f From: Garrett Cooper Date: Fri, 13 May 2016 08:54:08 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r299629 - stable/10/sys/geom/part X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2016 08:54:09 -0000 Author: ngie Date: Fri May 13 08:54:08 2016 New Revision: 299629 URL: https://svnweb.freebsd.org/changeset/base/299629 Log: MFC r298671,r298672: r298671 (by cem): g_part_bsd64: Check for valid on-disk npartitions value This value is u32 on disk, but assigned to an int in memory. After we do the implicit conversion via assignment, check that the result is at least one[1] (non-negative[2]). 1. The subsequent for-loop iterates from gpt_entries minus one, down, until reaching zero. A negative or zero initial index results in undefined signed integer overflow. 2. It is also used to index into arrays later. In practice, we expected non-malicious disks to contain small positive values. CID: 1223202 r298672 (by cem): g_part_bsd64: Delete duplicate/dead code RAW_PART is handled earlier in the loop. CID: 1223201 Modified: stable/10/sys/geom/part/g_part_bsd64.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/geom/part/g_part_bsd64.c ============================================================================== --- stable/10/sys/geom/part/g_part_bsd64.c Fri May 13 08:51:51 2016 (r299628) +++ stable/10/sys/geom/part/g_part_bsd64.c Fri May 13 08:54:08 2016 (r299629) @@ -510,7 +510,8 @@ g_part_bsd64_read(struct g_part_table *b dlp = (struct disklabel64 *)buf; basetable->gpt_entries = le32toh(dlp->d_npartitions); - if (basetable->gpt_entries > MAXPARTITIONS64) + if (basetable->gpt_entries > MAXPARTITIONS64 || + basetable->gpt_entries < 1) goto invalid_label; v32 = le32toh(dlp->d_crc); dlp->d_crc = 0; @@ -563,8 +564,6 @@ g_part_bsd64_read(struct g_part_table *b le_uuid_dec(&dlp->d_partitions[index].p_stor_uuid, &entry->stor_uuid); entry->fstype = dlp->d_partitions[index].p_fstype; - if (index == RAW_PART) - baseentry->gpe_internal = 1; } bcopy(dlp->d_reserved0, table->d_reserved0, sizeof(table->d_reserved0));