svn commit: r298671 - head/sys/geom/part
Conrad E. Meyer
cem at FreeBSD.org
Tue Apr 26 22:30:55 UTC 2016
Author: cem
Date: Tue Apr 26 22:30:54 2016
New Revision: 298671
URL: https://svnweb.freebsd.org/changeset/base/298671
Log:
g_part_bsd64: Check for valid on-disk npartitions value
This value is u32 on disk, but assigned to an int in memory. After we do the
implicit conversion via assignment, check that the result is at least one[1]
(non-negative[2]).
1. The subsequent for-loop iterates from gpt_entries minus one, down, until
reaching zero. A negative or zero initial index results in undefined signed
integer overflow.
2. It is also used to index into arrays later.
In practice, we expected non-malicious disks to contain small positive values.
Reported by: Coverity
CID: 1223202
Sponsored by: EMC / Isilon Storage Division
Modified:
head/sys/geom/part/g_part_bsd64.c
Modified: head/sys/geom/part/g_part_bsd64.c
==============================================================================
--- head/sys/geom/part/g_part_bsd64.c Tue Apr 26 22:01:07 2016 (r298670)
+++ head/sys/geom/part/g_part_bsd64.c Tue Apr 26 22:30:54 2016 (r298671)
@@ -509,7 +509,8 @@ g_part_bsd64_read(struct g_part_table *b
dlp = (struct disklabel64 *)buf;
basetable->gpt_entries = le32toh(dlp->d_npartitions);
- if (basetable->gpt_entries > MAXPARTITIONS64)
+ if (basetable->gpt_entries > MAXPARTITIONS64 ||
+ basetable->gpt_entries < 1)
goto invalid_label;
v32 = le32toh(dlp->d_crc);
dlp->d_crc = 0;
More information about the svn-src-head
mailing list