Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 11 Jan 2023 10:40:01 GMT
From:      Zhenlei Huang <zlei@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 3070bedd3dc5 - stable/13 - geom_part: Fix potential integer overflow when checking size of the table
Message-ID:  <202301111040.30BAe18q069975@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/13 has been updated by zlei:

URL: https://cgit.FreeBSD.org/src/commit/?id=3070bedd3dc54196f48645966eb34bd3a9bf131d

commit 3070bedd3dc54196f48645966eb34bd3a9bf131d
Author:     Zhenlei Huang <zlei@FreeBSD.org>
AuthorDate: 2022-12-21 01:04:30 +0000
Commit:     Zhenlei Huang <zlei@FreeBSD.org>
CommitDate: 2023-01-11 10:35:59 +0000

    geom_part: Fix potential integer overflow when checking size of the table
    
    `hdr_entries` and `hdr_entsz` are both uint32_t as defined in UEFI spec.
    Current spec does not have upper limit of the number of partition
    entries and the size of partition entry, it is potential that malicious
    or corrupted GPT header read from untrusted source contains large size of
    entry number or size.
    
    PR:             266548
    Reviewed by:    oshogbo, cem, imp, markj
    Approved by:    kp (mentor)
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D36709
    
    (cherry picked from commit 2e543af13ab3746c7626c53293c007c8747eff9d)
---
 sys/geom/part/g_part_gpt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/geom/part/g_part_gpt.c b/sys/geom/part/g_part_gpt.c
index a42a20683792..775ec20081ea 100644
--- a/sys/geom/part/g_part_gpt.c
+++ b/sys/geom/part/g_part_gpt.c
@@ -515,7 +515,8 @@ gpt_read_hdr(struct g_part_gpt_table *table, struct g_consumer *cp,
 	    hdr->hdr_lba_table <= hdr->hdr_lba_end)
 		goto fail;
 	lba = hdr->hdr_lba_table +
-	    howmany(hdr->hdr_entries * hdr->hdr_entsz, pp->sectorsize) - 1;
+	    howmany((uint64_t)hdr->hdr_entries * hdr->hdr_entsz,
+	        pp->sectorsize) - 1;
 	if (lba >= last)
 		goto fail;
 	if (lba >= hdr->hdr_lba_start && lba <= hdr->hdr_lba_end)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202301111040.30BAe18q069975>