From nobody Wed Jan 11 10:40:01 2023 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NsPMP6kchz2r1X1; Wed, 11 Jan 2023 10:40:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NsPMP4rflz3PPy; Wed, 11 Jan 2023 10:40:01 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1673433601; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XuF/K6p/LQbkIy7KRIiWaKd81w0+cLFfuXkcAQahF9M=; b=I3OIQdaMvsibbI87njpQJL218JUyTEbHuxCDKPVlZwuOps6xJNObL6+Z9LVTcnK4O/j/jj S4UW/2POSM80p+p697ramhyhm0eNKVu6NFC15l1tlM+flKb2PV6bmxEZ3fJQlw10CkGsHi aSe+N1tNcoQK3QyQqpsnF87xZG20+q7KXuXikVxqQ0tNup7Ta78UoGaY6rTQsS7AKOWr43 Fgd+TSB0xu4hLYL8ZBiqjHAihkbryXeA/ZfxqBlNqnIWIjahNWSuPdVp1GBNVT+bMTAl6/ q3gKxzokM+V7YNxCj3wHmN1CrvktQXqIZiUbOwf3BpLoOcDqOfSxUt/EKIFJjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1673433601; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XuF/K6p/LQbkIy7KRIiWaKd81w0+cLFfuXkcAQahF9M=; b=p8kONyBSF22ob69MS46K+tGquYDzzlrtFhq2/bAROexUjyqfSfvPVqGVp1DoAQwbyy9BIu u3NgSfVf+lEZj+Leh9SbRl5otItrKqgLHaSW4Y4Hc8D098AX407Oi6bPbanyTErTAun5Hb TS/Ic0+sZIQHo5EiF/AXONcw07CVdP2ePcToJNG3O4Omn8yAFRQe25NKWsYLnWwm+zP3c0 KQYh5JprpB0pPA/ouGD6Tk9SKPoRd6MRQejBvOlZg4nNDZ9hI4xGgbHHXYi0tPDZiD3mCn y7gSPlo2OgrNqadQXOneIVIbzMXktX5E/L53Y/Q1U6+nZMD9QkF9IgDNPTc0gQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1673433601; a=rsa-sha256; cv=none; b=AyFOfgj/xFKmeh2bML1olUUaI9n9y0Ige5Vi7N5VtH0BBDDXvae5jisdrHngTVxE52rq5J B4/UYdxGAqelnYQNLzsDJbra04ObzJZ6+Il8ZGjvmnWtxHjd4o0mUqK36Pi0qcZPVTsFJK IrK2V6jTWco0tGiDn/FOwYfoLsm+gY29rmcucMcyvl6lYMTxhriah/ENfT9yrWkTal8vfB hMdT3FngW78DxnZ7OWlzcVS/QJ0pK44kFRYJLG7Tinu8QFNYbnEkEN42q0eP87KE+CLiTq 4bns5zQU2B/kbOMlsxOJWYUNeKpEGj3fxJJ3BL58TNa8AfIZTZIxYgnI1YYEjg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NsPMP3lD6zl7d; Wed, 11 Jan 2023 10:40:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 30BAe1NF069978; Wed, 11 Jan 2023 10:40:01 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 30BAe18q069975; Wed, 11 Jan 2023 10:40:01 GMT (envelope-from git) Date: Wed, 11 Jan 2023 10:40:01 GMT Message-Id: <202301111040.30BAe18q069975@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Zhenlei Huang Subject: git: 3070bedd3dc5 - stable/13 - geom_part: Fix potential integer overflow when checking size of the table List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: zlei X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 3070bedd3dc54196f48645966eb34bd3a9bf131d Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by zlei: URL: https://cgit.FreeBSD.org/src/commit/?id=3070bedd3dc54196f48645966eb34bd3a9bf131d commit 3070bedd3dc54196f48645966eb34bd3a9bf131d Author: Zhenlei Huang AuthorDate: 2022-12-21 01:04:30 +0000 Commit: Zhenlei Huang CommitDate: 2023-01-11 10:35:59 +0000 geom_part: Fix potential integer overflow when checking size of the table `hdr_entries` and `hdr_entsz` are both uint32_t as defined in UEFI spec. Current spec does not have upper limit of the number of partition entries and the size of partition entry, it is potential that malicious or corrupted GPT header read from untrusted source contains large size of entry number or size. PR: 266548 Reviewed by: oshogbo, cem, imp, markj Approved by: kp (mentor) MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D36709 (cherry picked from commit 2e543af13ab3746c7626c53293c007c8747eff9d) --- sys/geom/part/g_part_gpt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/geom/part/g_part_gpt.c b/sys/geom/part/g_part_gpt.c index a42a20683792..775ec20081ea 100644 --- a/sys/geom/part/g_part_gpt.c +++ b/sys/geom/part/g_part_gpt.c @@ -515,7 +515,8 @@ gpt_read_hdr(struct g_part_gpt_table *table, struct g_consumer *cp, hdr->hdr_lba_table <= hdr->hdr_lba_end) goto fail; lba = hdr->hdr_lba_table + - howmany(hdr->hdr_entries * hdr->hdr_entsz, pp->sectorsize) - 1; + howmany((uint64_t)hdr->hdr_entries * hdr->hdr_entsz, + pp->sectorsize) - 1; if (lba >= last) goto fail; if (lba >= hdr->hdr_lba_start && lba <= hdr->hdr_lba_end)