From nobody Thu Aug 14 16:03:14 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4c2qlk5xctz64g5n; Thu, 14 Aug 2025 16:03:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4c2qlk3Fd1z3K3F; Thu, 14 Aug 2025 16:03:14 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1755187394; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ArLVAJqjI3F4GBxSHa3wkv1SBxhsayi606KfoOnf3yw=; b=Et10iSGENsYkwP4AxU032gXrPuiGurkohx+GoqnU3S1U15fwXHWUx1PZviaJkuCmxzGGFw n1j5uXP7jPryS2drsge5+mmnEkBls5NmEMeipovGIzgSn3RHtCWgslNyCzSf2xr73tAdbB vcke+MWK0uq8Nb99a+fNmkU6OA4tWRal0fyMvrioJt2U4Juuw4FknGXE39Hq0+XcU4doyD IdCXVcNODeGzLTpmZ+Z98H0ZSB3umaAE6JzQm02syxB9cXYDRU3R7XrlzFu/le6PZBkfLy VFhRaPTht5Sjmt2tL4o6htQ5HF5zJSyGnko8lyljSIYpgeW+isuG4kqDRzIt2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1755187394; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ArLVAJqjI3F4GBxSHa3wkv1SBxhsayi606KfoOnf3yw=; b=Ak6is2jwag/yB+AMhieT1YSIQbP+UaQmk09aY2QqPw6SRubxSSxzqyvaK33FEugJD60Ta3 Ue6Bulyd5/l9csZbX4cWSlfQ7Wt2C3UaEwDmVKMe3jJCwjnu50VKTHZXcziNfYOF/zqMK3 8wd5D31JiGjPAIc3kFmHQq+GD+wrqzgeuEygkQdMry6/efrlGwYznOslcNaNNTDv0ku5YH LoQ9DJ0TEsrgqKyMKMvkBYquNEwBhP5LERr6/jklkSO9wpTIfM8Y8MkQDcgT4tCTGvMhXu pfDFqJuZKBJvnPbuSWwpqT93PG8yw5LjExqjA6eKG3waUE3s58jEwq8EC/rmnw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1755187394; a=rsa-sha256; cv=none; b=KgWfodj4aigG+0B0/qcl4gw3VfcFHzszbukE+SMo5eFxbRy+XOEdlwmkkKr2fJdf1ZzWuP p4UonqdC4im6f2ZEpD0grHHaOyY30inHrkYn/ofCSGOpc6abQFB+E+FyhLqx4YAY7/Af0Z SqGOT07wX1FNNZD0Nktzd7yTMFg4Ggi7zCpCQzfVJ7KKlGTNZUe1mC81Yjrhd2ACZCrXwX QtUSHbFXtC9QBDce00iD6Jbuo5f/A2nMkpX6YtZKlR7FZJ+NUfC66cAKG/Fu4hN+07gaed Oxq2P7RCVjWkM9OFfTiWJNozsfVhsJegsIcAP551VQqUusjbv5MRWPlHP6ReEQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4c2qlk2qfLz10XL; Thu, 14 Aug 2025 16:03:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 57EG3EQG079952; Thu, 14 Aug 2025 16:03:14 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 57EG3EXM079949; Thu, 14 Aug 2025 16:03:14 GMT (envelope-from git) Date: Thu, 14 Aug 2025 16:03:14 GMT Message-Id: <202508141603.57EG3EXM079949@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= Subject: git: 62df4a7dd8e0 - stable/14 - hastd: Fix nv data size check List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 62df4a7dd8e0cd0c27da54966f540dfb5c543658 Auto-Submitted: auto-generated The branch stable/14 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=62df4a7dd8e0cd0c27da54966f540dfb5c543658 commit 62df4a7dd8e0cd0c27da54966f540dfb5c543658 Author: Dag-Erling Smørgrav AuthorDate: 2025-08-06 13:49:37 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2025-08-14 14:00:09 +0000 hastd: Fix nv data size check The data size check, as currently written, can be defeated by providing a very large number that rounds up to 0, which will pass the check (because zero plus the size of the header and name is smaller than the size of the message) but cause a segfault later when used to index the data array. Rewrite the data size check to take rounding into account, and add a cast to ensure the name size can't round up to zero. MFC after: 1 week PR: 266827 Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D51615 (cherry picked from commit 3caee2a93f235ebcfe3a8ec99eb2c3f3e5b0438f) --- sbin/hastd/nv.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/sbin/hastd/nv.c b/sbin/hastd/nv.c index fd6b56c1148d..4e50d0026e7b 100644 --- a/sbin/hastd/nv.c +++ b/sbin/hastd/nv.c @@ -98,7 +98,7 @@ struct nvhdr { } __packed; #define NVH_DATA(nvh) ((unsigned char *)nvh + NVH_HSIZE(nvh)) #define NVH_HSIZE(nvh) \ - (sizeof(struct nvhdr) + roundup2((nvh)->nvh_namesize, 8)) + (sizeof(struct nvhdr) + roundup2((size_t)(nvh)->nvh_namesize, 8)) #define NVH_DSIZE(nvh) \ (((nvh)->nvh_type & NV_ORDER_MASK) == NV_ORDER_HOST ? \ (nvh)->nvh_dsize : \ @@ -248,11 +248,8 @@ nv_validate(struct nv *nv, size_t *extrap) break; } dsize = NVH_DSIZE(nvh); - if (dsize == 0) { - error = EINVAL; - break; - } - if (size < NVH_SIZE(nvh)) { + if (roundup2(dsize, 8) == 0 || + roundup2(dsize, 8) > size - NVH_HSIZE(nvh)) { error = EINVAL; break; }