From nobody Wed Sep 6 04:53:08 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RgVPJ2y7Jz4sLvk; Wed, 6 Sep 2023 04:53:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RgVPJ263Mz3TwZ; Wed, 6 Sep 2023 04:53:08 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1693975988; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bv3Y4YZr//2yFEfw+8x7rxboSr64gEZ8nMjCfj5j6f4=; b=OBwtq9zYl6UBq9ge6fXb0UrkZKUvd3amgTilic+Eu+Bofb4H3wRSvsJ8sryhfMO5KnlzUo gB/pqh2tpmP428vdQClQTlF+efrwx3/96g+8n+WhzaB5i1Hq19gXvTCEW+y9esSi+TA43o vWVt0xNlfKyQGQ/eCMu0RywkW+4ecBp8+z2N/zvNmdPoE494488wjVPoLPaPwGamQ5wqxN rRe95SEkb5a5N3l2HYcAb3GapuzieiIEbM0fdxexWmZAa4VDV798Vq7hkn/Vj+s36B5wd2 PIg8AyU0oSetGksHZfXcTgDhVW0AruTavRi91tzocaawXpUnPEGwuMZl1XQMMA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1693975988; a=rsa-sha256; cv=none; b=A3s9xGUgjrtFcLB3l2Zwgg8GkYwllqqbmhpBj8pTO+kGViwSmIDKjL0bLPyyxDzRt9fvVF d+XDRGutjcg2U70whR9mm4Lldh0hAmNcwnxt0gQVnJkv15TabIDs33kFzu+/poCrat2dwx ywK14JVTCYc4ghFQqbv5jP/R5vzvCDNLmagEXIihka9vPiq3FYLc75fJh3C/xpIANhkDKQ jiFUm000dU7EgL7vPmmbKtNCDhYKIi8b022zJ/+vd2YsKKlQQNgMcGMz88PEeLt6TQQsZq 2+fU3QAA06FhdfburftjpR1OZW//P+zPAZW3RcSp5rG6GeoU5f1vB0n7rfgDLw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1693975988; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bv3Y4YZr//2yFEfw+8x7rxboSr64gEZ8nMjCfj5j6f4=; b=H59xy4oadhvbdhFjYtaMiDHElS+MukMCiNObGkrg4Zz/RE6XmhzixKW43AbK2UuSyqiLd3 qEwzFTaA2PcDqoMD+L0aOmGKpKo63B++DfiVRzwrEOAbVLY0WzQ0zuc7wYCfscphZS+UaY cuLbEqBPRan0h+ZSrErrAJZ1lV8Q/NpVMQlKflBzxnpwA3s5xNWKv/pFnH9SQmtrfdmrJ/ Kmpco2QdCY8C3GZSyq3R6F45rVtyUwhod8rI0FUkpfUof5dwClBYdt54J4CwEWDlAJrpgV EbtzjFTm8Ldbkp2PvJddtCXvWSybP2VrqzOCe0Tx3MS/eFEkokipyMHISrq9KA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RgVPJ1D1Kz134n; Wed, 6 Sep 2023 04:53:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3864r8Sv022392; Wed, 6 Sep 2023 04:53:08 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3864r8sO022389; Wed, 6 Sep 2023 04:53:08 GMT (envelope-from git) Date: Wed, 6 Sep 2023 04:53:08 GMT Message-Id: <202309060453.3864r8sO022389@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Zhenlei Huang Subject: git: 70e32e5b52d9 - stable/12 - geom_linux_lvm: Check the offset of physical volume header List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: zlei X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 70e32e5b52d9b34bdc205f04a616998effc493b0 Auto-Submitted: auto-generated The branch stable/12 has been updated by zlei: URL: https://cgit.FreeBSD.org/src/commit/?id=70e32e5b52d9b34bdc205f04a616998effc493b0 commit 70e32e5b52d9b34bdc205f04a616998effc493b0 Author: Zhenlei Huang AuthorDate: 2023-08-22 09:20:10 +0000 Commit: Zhenlei Huang CommitDate: 2023-09-06 04:32:56 +0000 geom_linux_lvm: Check the offset of physical volume header The LVM label is stored on any of the first four sectors, and the PV (physical volume) header is stored within the same sector following the LVM label. The current implementation does not fully check the offset of PV header, when attaching a bad formatted LVM PV the kernel may crash due to out-of-bounds memory read. PR: 266562 Reviewed by: jhb MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D36773 (cherry picked from commit c941b82e1c31a67a025c43cc7bd31f269fa62588) (cherry picked from commit 809450c4b53109b6ca8a87054452f2b3b8f711aa) --- sys/geom/linux_lvm/g_linux_lvm.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/sys/geom/linux_lvm/g_linux_lvm.c b/sys/geom/linux_lvm/g_linux_lvm.c index 06fdfbcf7878..c7b0239dae61 100644 --- a/sys/geom/linux_lvm/g_linux_lvm.c +++ b/sys/geom/linux_lvm/g_linux_lvm.c @@ -68,7 +68,8 @@ static int g_llvm_read_label(struct g_consumer *, struct g_llvm_label *); static int g_llvm_read_md(struct g_consumer *, struct g_llvm_metadata *, struct g_llvm_label *); -static int llvm_label_decode(const u_char *, struct g_llvm_label *, int); +static int llvm_label_decode(const u_char *, struct g_llvm_label *, + int, u_int); static int llvm_md_decode(const u_char *, struct g_llvm_metadata *, struct g_llvm_label *); static int llvm_textconf_decode(u_char *, int, @@ -631,7 +632,8 @@ g_llvm_read_label(struct g_consumer *cp, struct g_llvm_label *ll) /* Search the four sectors for the LVM label. */ for (i = 0; i < 4; i++) { - error = llvm_label_decode(&buf[i * pp->sectorsize], ll, i); + error = llvm_label_decode(&buf[i * pp->sectorsize], ll, i, + pp->sectorsize); if (error == 0) break; /* found it */ } @@ -697,7 +699,8 @@ g_llvm_read_md(struct g_consumer *cp, struct g_llvm_metadata *md, } static int -llvm_label_decode(const u_char *data, struct g_llvm_label *ll, int sector) +llvm_label_decode(const u_char *data, struct g_llvm_label *ll, int sector, + u_int sectorsize) { uint64_t off; char *uuid; @@ -722,6 +725,13 @@ llvm_label_decode(const u_char *data, struct g_llvm_label *ll, int sector) return (EINVAL); } + /* XXX The minimal possible size of physical volume header is 88 */ + if (ll->ll_offset < 32 || ll->ll_offset > sectorsize - 88) { + G_LLVM_DEBUG(0, "Invalid physical volume header offset %u", + ll->ll_offset); + return (EINVAL); + } + off = ll->ll_offset; /* * convert the binary uuid to string format, the format is