From owner-svn-src-head@freebsd.org  Tue Apr 26 22:30:55 2016
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8DBA8B1D1E6;
 Tue, 26 Apr 2016 22:30:55 +0000 (UTC) (envelope-from cem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 5E7851FEA;
 Tue, 26 Apr 2016 22:30:55 +0000 (UTC) (envelope-from cem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u3QMUspV073469;
 Tue, 26 Apr 2016 22:30:54 GMT (envelope-from cem@FreeBSD.org)
Received: (from cem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u3QMUs7W073468;
 Tue, 26 Apr 2016 22:30:54 GMT (envelope-from cem@FreeBSD.org)
Message-Id: <201604262230.u3QMUs7W073468@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: cem set sender to cem@FreeBSD.org
 using -f
From: "Conrad E. Meyer" <cem@FreeBSD.org>
Date: Tue, 26 Apr 2016 22:30:54 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r298671 - head/sys/geom/part
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2016 22:30:55 -0000

Author: cem
Date: Tue Apr 26 22:30:54 2016
New Revision: 298671
URL: https://svnweb.freebsd.org/changeset/base/298671

Log:
  g_part_bsd64: Check for valid on-disk npartitions value
  
  This value is u32 on disk, but assigned to an int in memory.  After we do the
  implicit conversion via assignment, check that the result is at least one[1]
  (non-negative[2]).
  
  1. The subsequent for-loop iterates from gpt_entries minus one, down, until
     reaching zero.  A negative or zero initial index results in undefined signed
     integer overflow.
  2. It is also used to index into arrays later.
  
  In practice, we expected non-malicious disks to contain small positive values.
  
  Reported by:	Coverity
  CID:		1223202
  Sponsored by:	EMC / Isilon Storage Division

Modified:
  head/sys/geom/part/g_part_bsd64.c

Modified: head/sys/geom/part/g_part_bsd64.c
==============================================================================
--- head/sys/geom/part/g_part_bsd64.c	Tue Apr 26 22:01:07 2016	(r298670)
+++ head/sys/geom/part/g_part_bsd64.c	Tue Apr 26 22:30:54 2016	(r298671)
@@ -509,7 +509,8 @@ g_part_bsd64_read(struct g_part_table *b
 
 	dlp = (struct disklabel64 *)buf;
 	basetable->gpt_entries = le32toh(dlp->d_npartitions);
-	if (basetable->gpt_entries > MAXPARTITIONS64)
+	if (basetable->gpt_entries > MAXPARTITIONS64 ||
+	    basetable->gpt_entries < 1)
 		goto invalid_label;
 	v32 = le32toh(dlp->d_crc);
 	dlp->d_crc = 0;