From nobody Sat Jan 08 04:29:35 2022
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 9B61E1932246;
	Sat,  8 Jan 2022 04:29:37 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JW6Yr0Mfxz3Dcb;
	Sat,  8 Jan 2022 04:29:36 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 8099518595;
	Sat,  8 Jan 2022 04:29:35 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2084TZVS022320;
	Sat, 8 Jan 2022 04:29:35 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2084TZMd022319;
	Sat, 8 Jan 2022 04:29:35 GMT
	(envelope-from git)
Date: Sat, 8 Jan 2022 04:29:35 GMT
Message-Id: <202201080429.2084TZMd022319@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Konstantin Belousov <kib@FreeBSD.org>
Subject: git: ba2c98389b78 - main - msdosfs: sanity check sector count from BPB
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kib
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: ba2c98389b78b548aedac0be53121df909c3fe2f
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1641616176;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=81U55+UABjw6oN6hW7o75s8kfGPB04RHwpMuzCnrdYQ=;
	b=DpAmuXf2xf0cfdJZFiHBlikLbb9sx0H8axpKyVZX7yRrPSuJX5TalnLTAacDeCJd2T0nV6
	IJuLutRNnbi4iQtAaDwZp6KBUwK0AJAI7LI9R+ftPAqsKCUXkKHVPgzZO+1ASbbbVDFj9K
	d5ar2ladRXfXmkzr9nzKfKd0v3e2zfib6g8oe1D8EW48IFOolt3Tpz7irhwPauOXyFj+0Y
	96tFxXiif1Mj8/U+BmAW/zzPuGDoctHLwbWOh/asibk6RnI/VSKba3XSczi4Jjf6JzsQm+
	oTxGMsY8kWLHg6vVAp5T3zRfjxd+QsFOkZ87JDfLQQTkkOoAQq1XKqEnkNODPw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1641616176; a=rsa-sha256; cv=none;
	b=gKa40cce01iU0Vd9H6dp7MwM4Qsp8YXOnPlLnPj+F/asxyOS2H8QBFEQduqKJNOWH3Le2F
	zAoJQTzlN8cE9xon0pTzQ8ppe6W7ByR+Kz42zlGqLq5jpqN1WvJA6WYKAYQgJ2/xE56+fm
	rWpZG9dOqWcXXQlXHTS0SQc8fMDYxa89QKXJrJVl/5zmKy9ImF4rqMwNdIGalHlFaMSFkH
	ORXfGGP89dHFiJuGYlRnHA/0Jq5KP6zqB7Zg88LwKsMdH9+PwmfpaRN59PqHSLjDkR6uFU
	Sp9Yf8JpzbC00khU89od5DpCc084gY2cj2Dh3+oUBiLCamd1mjCIjBNWX1QC7A==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=ba2c98389b78b548aedac0be53121df909c3fe2f

commit ba2c98389b78b548aedac0be53121df909c3fe2f
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2021-12-30 19:45:40 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2022-01-08 03:41:44 +0000

    msdosfs: sanity check sector count from BPB
    
    We use sector count to size the FAT inuse bitset.  If sector count is
    corrupted, kernel might be tricked into doing unbound allocation.
    Ensure that the sector count does not exceed the actual volume size.
    
    In collaboration with:  pho
    Reviewed by:    markj, mckusick
    Sponsored by:   The FreeBSD Foundation
    MFC after:      1 week
    Differential revision:  https://reviews.freebsd.org/D33721
---
 sys/fs/msdosfs/msdosfs_vfsops.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/sys/fs/msdosfs/msdosfs_vfsops.c b/sys/fs/msdosfs/msdosfs_vfsops.c
index 5eb6ad04eab9..8ef46e063420 100644
--- a/sys/fs/msdosfs/msdosfs_vfsops.c
+++ b/sys/fs/msdosfs/msdosfs_vfsops.c
@@ -558,6 +558,14 @@ mountmsdosfs(struct vnode *devvp, struct mount *mp)
 	}
 
 	pmp->pm_HugeSectors *= pmp->pm_BlkPerSec;
+	if ((off_t)pmp->pm_HugeSectors * pmp->pm_BytesPerSec <
+	    pmp->pm_HugeSectors /* overflow */ ||
+	    (off_t)pmp->pm_HugeSectors * pmp->pm_BytesPerSec >
+	    cp->provider->mediasize /* past end of vol */) {
+		error = EINVAL;
+		goto error_exit;
+	}
+
 	pmp->pm_HiddenSects *= pmp->pm_BlkPerSec;	/* XXX not used? */
 	pmp->pm_FATsecs     *= pmp->pm_BlkPerSec;
 	SecPerClust         *= pmp->pm_BlkPerSec;
@@ -577,6 +585,10 @@ mountmsdosfs(struct vnode *devvp, struct mount *mp)
 		pmp->pm_firstcluster = pmp->pm_rootdirblk + pmp->pm_rootdirsize;
 	}
 
+	if (pmp->pm_HugeSectors <= pmp->pm_firstcluster) {
+		error = EINVAL;
+		goto error_exit;
+	}
 	pmp->pm_maxcluster = (pmp->pm_HugeSectors - pmp->pm_firstcluster) /
 	    SecPerClust + 1;
 	pmp->pm_fatsize = pmp->pm_FATsecs * DEV_BSIZE;	/* XXX not used? */