From nobody Wed Dec 21 01:18:29 2022
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NcFvB2FT9z1G7qy;
	Wed, 21 Dec 2022 01:18:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NcFvB1hT5z3v1N;
	Wed, 21 Dec 2022 01:18:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1671585510;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=FW0lMhdWjCUdtYV8+nSPISXjX5fk98CEQQwdiF1mLek=;
	b=Llx8NETY0ljB+C/0R0boyk2fNSRpnvnJdA506FPNW1XaDOTF0aOVCmgJoSbRMUcocw4IhM
	2hEVempAFjswoZWdXu5zskj81o9WIJvsnXHSWz4pzAuUzq8+H+EJL5v1xV8XmDSe9krmKW
	Gf/vuSEGZVypOsxQVhmXoKHk3P2wLV0aE7Zn07XknfRdzymMyIT3N5AFcY5ks8HSBsHxY8
	q8FYOc8aQzbLth4f2dsw7Y8kjgxeBlwJ7oW0TgRS++lYqEF4bOmN+QlDt5t1PUIPoAeclT
	fXOwATyCg2BYpTnmS09fIDOPHKkB2F1NopcPBTknthpiP5sB2Z2kWNf1o2asfg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1671585510;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=FW0lMhdWjCUdtYV8+nSPISXjX5fk98CEQQwdiF1mLek=;
	b=jX78JNVkehHS+6a9QZCwhg+vBhPQ3U0fVa5zupAcTLiKGz9JmaCt5/7AoI5oB2cR5LOlrT
	HTvjfx+ZTKS9cJYrIKRIvWS3cVdPoS9ez/ffdw0tXz4K0NEy5HLns7bUGWo3avFLHj1Gaq
	yugyEQHz0aC270kgCcROXt5cZ13M6hqDSVx3k+YwcV4Bv+UKAIrkESHbPp/zZN26cCdFbt
	qBwqfqEOZhPaoS+twrctfkwT8k+IOdcDxfv8H3cD0r+P5cBkwjsu4sBYyT+oU9rmppo0yn
	zuKV7iuMRF5SSNxo8FoGKoM6rpaWI5ycrorsh83x9y2jaUnxH7MwJvdv0h5G7g==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1671585510; a=rsa-sha256; cv=none;
	b=Sx5JtHlOaK0aM/3FixBwRgaj88jjTTARRYCD9Ks4DQMQ7DMRFBpha+m3iVsBQCH1St8sbe
	ODBY8Tjfz5W16TMQvdCTIZdRvYaKOLOi891H0ODavSMmhivFwkkF1OuDRGg0kcttJIcXhj
	E+QE7tEe1m8wC2pFOy1JXKbgKPGuELcRlpPWT4oQ3QA17FqxBP9KRgbsZi+9YyJ029gk9V
	na/VbIhvKvzTcmgOslFmbM4XJ1kdjVbTqvAScPHOsPuyDaSLW9aHWZLLt0Ei/FsnJKhrop
	G04QuWyBOOIxlzDrn+fXK/J/1Y3wJ2VfYrlSulhPEXFgOb0Xb3Cdr/F3v/+U0w==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NcFvB0Yhgzx3K;
	Wed, 21 Dec 2022 01:18:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2BL1ITXx080193;
	Wed, 21 Dec 2022 01:18:29 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2BL1ITsW080192;
	Wed, 21 Dec 2022 01:18:29 GMT
	(envelope-from git)
Date: Wed, 21 Dec 2022 01:18:29 GMT
Message-Id: <202212210118.2BL1ITsW080192@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Zhenlei Huang <zlei@FreeBSD.org>
Subject: git: 2e543af13ab3 - main - geom_part: Fix potential integer overflow when checking size of the table
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: zlei
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 2e543af13ab3746c7626c53293c007c8747eff9d
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by zlei:

URL: https://cgit.FreeBSD.org/src/commit/?id=2e543af13ab3746c7626c53293c007c8747eff9d

commit 2e543af13ab3746c7626c53293c007c8747eff9d
Author:     Zhenlei Huang <zlei@FreeBSD.org>
AuthorDate: 2022-12-21 01:04:30 +0000
Commit:     Zhenlei Huang <zlei@FreeBSD.org>
CommitDate: 2022-12-21 01:04:30 +0000

    geom_part: Fix potential integer overflow when checking size of the table
    
    `hdr_entries` and `hdr_entsz` are both uint32_t as defined in UEFI spec.
    Current spec does not have upper limit of the number of partition
    entries and the size of partition entry, it is potential that malicious
    or corrupted GPT header read from untrusted source contains large size of
    entry number or size.
    
    PR:             266548
    Reviewed by:    oshogbo, cem, imp, markj
    Approved by:    kp (mentor)
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D36709
---
 sys/geom/part/g_part_gpt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/geom/part/g_part_gpt.c b/sys/geom/part/g_part_gpt.c
index cd04fe714fbe..e0c477f467b4 100644
--- a/sys/geom/part/g_part_gpt.c
+++ b/sys/geom/part/g_part_gpt.c
@@ -515,7 +515,8 @@ gpt_read_hdr(struct g_part_gpt_table *table, struct g_consumer *cp,
 	    hdr->hdr_lba_table <= hdr->hdr_lba_end)
 		goto fail;
 	lba = hdr->hdr_lba_table +
-	    howmany(hdr->hdr_entries * hdr->hdr_entsz, pp->sectorsize) - 1;
+	    howmany((uint64_t)hdr->hdr_entries * hdr->hdr_entsz,
+	        pp->sectorsize) - 1;
 	if (lba >= last)
 		goto fail;
 	if (lba >= hdr->hdr_lba_start && lba <= hdr->hdr_lba_end)