Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 6 Sep 2023 04:53:06 GMT
From:      Zhenlei Huang <zlei@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 8fdb1181ab8d - stable/12 - geom_part: Fix potential integer overflow when checking size of the table
Message-ID:  <202309060453.3864r6Lu022338@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/12 has been updated by zlei:

URL: https://cgit.FreeBSD.org/src/commit/?id=8fdb1181ab8d28cbf62b1917b602028e34c8c9cc

commit 8fdb1181ab8d28cbf62b1917b602028e34c8c9cc
Author:     Zhenlei Huang <zlei@FreeBSD.org>
AuthorDate: 2022-12-21 01:04:30 +0000
Commit:     Zhenlei Huang <zlei@FreeBSD.org>
CommitDate: 2023-09-06 04:32:56 +0000

    geom_part: Fix potential integer overflow when checking size of the table
    
    `hdr_entries` and `hdr_entsz` are both uint32_t as defined in UEFI spec.
    Current spec does not have upper limit of the number of partition
    entries and the size of partition entry, it is potential that malicious
    or corrupted GPT header read from untrusted source contains large size of
    entry number or size.
    
    PR:             266548
    Reviewed by:    oshogbo, cem, imp, markj
    Approved by:    kp (mentor)
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D36709
    
    (cherry picked from commit 2e543af13ab3746c7626c53293c007c8747eff9d)
    (cherry picked from commit 3070bedd3dc54196f48645966eb34bd3a9bf131d)
---
 sys/geom/part/g_part_gpt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/geom/part/g_part_gpt.c b/sys/geom/part/g_part_gpt.c
index f0890fd71cd0..0fd952153e6c 100644
--- a/sys/geom/part/g_part_gpt.c
+++ b/sys/geom/part/g_part_gpt.c
@@ -492,7 +492,8 @@ gpt_read_hdr(struct g_part_gpt_table *table, struct g_consumer *cp,
 	    hdr->hdr_lba_table <= hdr->hdr_lba_end)
 		goto fail;
 	lba = hdr->hdr_lba_table +
-	    howmany(hdr->hdr_entries * hdr->hdr_entsz, pp->sectorsize) - 1;
+	    howmany((uint64_t)hdr->hdr_entries * hdr->hdr_entsz,
+	        pp->sectorsize) - 1;
 	if (lba >= last)
 		goto fail;
 	if (lba >= hdr->hdr_lba_start && lba <= hdr->hdr_lba_end)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202309060453.3864r6Lu022338>