git: c03c1abd2ccb - stable/13 - g_label: Handle small sector sizes when tasting
Mark Johnston
markj at FreeBSD.org
Tue Sep 14 12:52:08 UTC 2021
The branch stable/13 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=c03c1abd2ccb6431372b6f8c435463440cc4a5bc
commit c03c1abd2ccb6431372b6f8c435463440cc4a5bc
Author: Mark Johnston <markj at FreeBSD.org>
AuthorDate: 2021-09-07 13:46:58 +0000
Commit: Mark Johnston <markj at FreeBSD.org>
CommitDate: 2021-09-14 12:50:09 +0000
g_label: Handle small sector sizes when tasting
Make sure that the provider sector size is large enough to contain a
valid label before trying to read it. We performed this check already
for most label types, but not for several filesystem labels.
Reported by: syzbot+f52918174cdf193ae29c at syzkaller.appspotmail.com
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 5402baa5b5d14819101e1e847df66b02cedf1639)
---
sys/geom/label/g_label.c | 2 ++
sys/geom/label/g_label_ext2fs.c | 4 +++-
sys/geom/label/g_label_iso9660.c | 5 +++--
sys/geom/label/g_label_ntfs.c | 6 +++++-
sys/geom/label/g_label_reiserfs.c | 4 +++-
5 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/sys/geom/label/g_label.c b/sys/geom/label/g_label.c
index 026f5318b4ed..1df7e799b014 100644
--- a/sys/geom/label/g_label.c
+++ b/sys/geom/label/g_label.c
@@ -310,6 +310,8 @@ g_label_read_metadata(struct g_consumer *cp, struct g_label_metadata *md)
int error;
pp = cp->provider;
+ if (pp->sectorsize < sizeof(*md))
+ return (EINVAL);
buf = g_read_data(cp, pp->mediasize - pp->sectorsize, pp->sectorsize,
&error);
if (buf == NULL)
diff --git a/sys/geom/label/g_label_ext2fs.c b/sys/geom/label/g_label_ext2fs.c
index 2003d9b631f6..3420efb7ca3a 100644
--- a/sys/geom/label/g_label_ext2fs.c
+++ b/sys/geom/label/g_label_ext2fs.c
@@ -64,8 +64,10 @@ g_label_ext2fs_taste(struct g_consumer *cp, char *label, size_t size)
if ((EXT2FS_SB_OFFSET % pp->sectorsize) != 0)
return;
+ if (pp->sectorsize < sizeof(*fs))
+ return;
- fs = (e2sb_t *)g_read_data(cp, EXT2FS_SB_OFFSET, pp->sectorsize, NULL);
+ fs = g_read_data(cp, EXT2FS_SB_OFFSET, pp->sectorsize, NULL);
if (fs == NULL)
return;
diff --git a/sys/geom/label/g_label_iso9660.c b/sys/geom/label/g_label_iso9660.c
index bd44a38cb972..b46a47bbd36a 100644
--- a/sys/geom/label/g_label_iso9660.c
+++ b/sys/geom/label/g_label_iso9660.c
@@ -54,8 +54,9 @@ g_label_iso9660_taste(struct g_consumer *cp, char *label, size_t size)
if ((ISO9660_OFFSET % pp->sectorsize) != 0)
return;
- sector = (char *)g_read_data(cp, ISO9660_OFFSET, pp->sectorsize,
- NULL);
+ if (pp->sectorsize < 0x28 + VOLUME_LEN)
+ return;
+ sector = g_read_data(cp, ISO9660_OFFSET, pp->sectorsize, NULL);
if (sector == NULL)
return;
if (bcmp(sector, ISO9660_MAGIC, sizeof(ISO9660_MAGIC) - 1) != 0) {
diff --git a/sys/geom/label/g_label_ntfs.c b/sys/geom/label/g_label_ntfs.c
index dee105bcc833..f78d4d28b967 100644
--- a/sys/geom/label/g_label_ntfs.c
+++ b/sys/geom/label/g_label_ntfs.c
@@ -108,9 +108,13 @@ g_label_ntfs_taste(struct g_consumer *cp, char *label, size_t size)
label[0] = '\0';
pp = cp->provider;
+ bf = NULL;
filerecp = NULL;
- bf = (struct ntfs_bootfile *)g_read_data(cp, 0, pp->sectorsize, NULL);
+ if (pp->sectorsize < sizeof(*bf))
+ goto done;
+
+ bf = g_read_data(cp, 0, pp->sectorsize, NULL);
if (bf == NULL || strncmp(bf->bf_sysid, "NTFS ", 8) != 0)
goto done;
diff --git a/sys/geom/label/g_label_reiserfs.c b/sys/geom/label/g_label_reiserfs.c
index 4ed04f632324..d6f9a0428b6a 100644
--- a/sys/geom/label/g_label_reiserfs.c
+++ b/sys/geom/label/g_label_reiserfs.c
@@ -61,8 +61,10 @@ g_label_reiserfs_read_super(struct g_consumer *cp, off_t offset)
if ((offset % secsize) != 0)
return (NULL);
+ if (secsize < sizeof(*fs))
+ return (NULL);
- fs = (reiserfs_sb_t *)g_read_data(cp, offset, secsize, NULL);
+ fs = g_read_data(cp, offset, secsize, NULL);
if (fs == NULL)
return (NULL);
More information about the dev-commits-src-all
mailing list