From nobody Wed Sep 06 04:53:06 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RgVPH2W4bz4sLnS; Wed, 6 Sep 2023 04:53:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RgVPH17VQz3TyD; Wed, 6 Sep 2023 04:53:07 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1693975987; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wHDgJEtrzpfa65gJ2kN0FrhZjWBG3FoXE4HgvO0YNpM=; b=azy4aGID6lAADamlOUEK5OA9kCmk2Q/eFbkyfT2HHlAyL6HFkIaq0XdHmHkblV/fvVE7D8 8udQubQbo71WTwricnAaiFggYuvmh8GyqzF5TJeHyg2w7mmuTpw5ylmduUVDdswEuKNDwy KwIpu4Vobq4gLqJrhdkYWsOSHuwBI+4e6lgxELUCWW6hgid1vD9n4G0lJ0uGsxpJmEP4LX 9hg8jB7KFemaiToCEYt5kbd6yNmZt+ZYx5aQaW/7IJiCcnGmq0hv9z7+KZ5oaPXCx9M/dS X0FqXmQ2gaP6P2KQNncjmH0Y/wj8QNs9IaBBL7dXWZT75VE5BkhZr3u3SY7XJA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1693975987; a=rsa-sha256; cv=none; b=nnhFLHSdyFGQ+d/2FDlTWi4zTV+HcF6qfSussCrfD/BvjqIa0TUsRFxarWhy1OdwvGNzb8 jE7T/kj6uoyVIvHUZQMUWuFdhkMGD3yYd3jX051rPIX0OZjQXQD0R66kzrUvz2Hw/G1cnH vdaMLn+5Cw+igqRMDhwYoRn0bft8+8UokMxpkKy5oN7IapVrs0KxxlMzxOvv9VN3pKtMT9 bLh3hHkGhHH/yfg0DPYTQx0UzqNgXruG7WgiM4klCWC0mhKR1I1nK9FFhhOy++sGNr2sx1 lxFqZC/ZJLtPliGT6wMWQ/EgSbqHsosrmt9a+sBPiRnNSwVOj9VL2ePcsfdncg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1693975987; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wHDgJEtrzpfa65gJ2kN0FrhZjWBG3FoXE4HgvO0YNpM=; b=a3BHbXR/ns2V4Difngvk64Jswlmm0h0L7NvOiBAgQYIpmOGee6SpVP47kmQCD4aRghbsMl XbSQtMXYgEJiF9wt2AwN7UXIvYj2s95PIIDz/PDvUuj5Ykrbu9mMaOMYXq9U3lExbvh038 qoDXVqQvzrpD8zGnt2ZgAyOTQ38yeJ4WwqeqaIusYBLvk4yW8OGM6ApA9tICyonFYgUS7Z gMN1KhTLC8di6wsehEAape68NPi956CGxiX7pMvAi+eGpXku3t/wMTSQ/fYDfvH/8I2m+/ 9puDjYtdrzGrgz7FAuU+gNVhfk8gCpLUgCc+1yBRrF6J2v1fwgZknk62FpV05A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RgVPH0D0Pz12qV; Wed, 6 Sep 2023 04:53:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3864r6IL022341; Wed, 6 Sep 2023 04:53:06 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3864r6Lu022338; Wed, 6 Sep 2023 04:53:06 GMT (envelope-from git) Date: Wed, 6 Sep 2023 04:53:06 GMT Message-Id: <202309060453.3864r6Lu022338@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Zhenlei Huang Subject: git: 8fdb1181ab8d - stable/12 - geom_part: Fix potential integer overflow when checking size of the table List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: zlei X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 8fdb1181ab8d28cbf62b1917b602028e34c8c9cc Auto-Submitted: auto-generated The branch stable/12 has been updated by zlei: URL: https://cgit.FreeBSD.org/src/commit/?id=8fdb1181ab8d28cbf62b1917b602028e34c8c9cc commit 8fdb1181ab8d28cbf62b1917b602028e34c8c9cc Author: Zhenlei Huang AuthorDate: 2022-12-21 01:04:30 +0000 Commit: Zhenlei Huang CommitDate: 2023-09-06 04:32:56 +0000 geom_part: Fix potential integer overflow when checking size of the table `hdr_entries` and `hdr_entsz` are both uint32_t as defined in UEFI spec. Current spec does not have upper limit of the number of partition entries and the size of partition entry, it is potential that malicious or corrupted GPT header read from untrusted source contains large size of entry number or size. PR: 266548 Reviewed by: oshogbo, cem, imp, markj Approved by: kp (mentor) MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D36709 (cherry picked from commit 2e543af13ab3746c7626c53293c007c8747eff9d) (cherry picked from commit 3070bedd3dc54196f48645966eb34bd3a9bf131d) --- sys/geom/part/g_part_gpt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/geom/part/g_part_gpt.c b/sys/geom/part/g_part_gpt.c index f0890fd71cd0..0fd952153e6c 100644 --- a/sys/geom/part/g_part_gpt.c +++ b/sys/geom/part/g_part_gpt.c @@ -492,7 +492,8 @@ gpt_read_hdr(struct g_part_gpt_table *table, struct g_consumer *cp, hdr->hdr_lba_table <= hdr->hdr_lba_end) goto fail; lba = hdr->hdr_lba_table + - howmany(hdr->hdr_entries * hdr->hdr_entsz, pp->sectorsize) - 1; + howmany((uint64_t)hdr->hdr_entries * hdr->hdr_entsz, + pp->sectorsize) - 1; if (lba >= last) goto fail; if (lba >= hdr->hdr_lba_start && lba <= hdr->hdr_lba_end)