|
 |
80913e |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
80913e |
From: Peter Jones <pjones@redhat.com>
|
|
|
80913e |
Date: Sun, 19 Jul 2020 15:48:20 -0400
|
|
|
80913e |
Subject: [PATCH] lvm: fix two more potential data-dependent alloc overflows
|
|
|
80913e |
|
|
|
80913e |
It appears to be possible to make a (possibly invalid) lvm PV with a
|
|
|
80913e |
metadata size field that overflows our type when adding it to the
|
|
|
80913e |
address we've allocated. Even if it doesn't, it may be possible to do
|
|
|
80913e |
so with the math using the outcome of that as an operand. Check them
|
|
|
80913e |
both.
|
|
|
80913e |
|
|
|
80913e |
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
80913e |
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
|
|
80913e |
Upstream-commit-id: 45ec6046ea0
|
|
|
80913e |
---
|
|
|
80913e |
grub-core/disk/lvm.c | 48 ++++++++++++++++++++++++++++++++++++++++--------
|
|
|
80913e |
1 file changed, 40 insertions(+), 8 deletions(-)
|
|
|
80913e |
|
|
|
80913e |
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
|
|
|
b32e65 |
index d1df640b3..ca09d4699 100644
|
|
|
80913e |
--- a/grub-core/disk/lvm.c
|
|
|
80913e |
+++ b/grub-core/disk/lvm.c
|
|
|
80913e |
@@ -25,6 +25,7 @@
|
|
|
80913e |
#include <grub/lvm.h>
|
|
|
80913e |
#include <grub/partition.h>
|
|
|
80913e |
#include <grub/i18n.h>
|
|
|
80913e |
+#include <grub/safemath.h>
|
|
|
80913e |
|
|
|
80913e |
#ifdef GRUB_UTIL
|
|
|
80913e |
#include <grub/emu/misc.h>
|
|
|
80913e |
@@ -102,10 +103,12 @@ grub_lvm_detect (grub_disk_t disk,
|
|
|
80913e |
{
|
|
|
80913e |
grub_err_t err;
|
|
|
80913e |
grub_uint64_t mda_offset, mda_size;
|
|
|
80913e |
+ grub_size_t ptr;
|
|
|
80913e |
char buf[GRUB_LVM_LABEL_SIZE];
|
|
|
80913e |
char vg_id[GRUB_LVM_ID_STRLEN+1];
|
|
|
80913e |
char pv_id[GRUB_LVM_ID_STRLEN+1];
|
|
|
80913e |
- char *metadatabuf, *p, *q, *vgname;
|
|
|
80913e |
+ char *metadatabuf, *mda_end, *vgname;
|
|
|
80913e |
+ char *p, *q;
|
|
|
80913e |
struct grub_lvm_label_header *lh = (struct grub_lvm_label_header *) buf;
|
|
|
80913e |
struct grub_lvm_pv_header *pvh;
|
|
|
80913e |
struct grub_lvm_disk_locn *dlocn;
|
|
|
80913e |
@@ -205,19 +208,31 @@ grub_lvm_detect (grub_disk_t disk,
|
|
|
80913e |
grub_le_to_cpu64 (rlocn->size) -
|
|
|
80913e |
grub_le_to_cpu64 (mdah->size));
|
|
|
80913e |
}
|
|
|
80913e |
- p = q = metadatabuf + grub_le_to_cpu64 (rlocn->offset);
|
|
|
80913e |
|
|
|
80913e |
- while (*q != ' ' && q < metadatabuf + mda_size)
|
|
|
80913e |
- q++;
|
|
|
80913e |
-
|
|
|
80913e |
- if (q == metadatabuf + mda_size)
|
|
|
80913e |
+ if (grub_add ((grub_size_t)metadatabuf,
|
|
|
80913e |
+ (grub_size_t)grub_le_to_cpu64 (rlocn->offset),
|
|
|
80913e |
+ &ptr))
|
|
|
80913e |
{
|
|
|
80913e |
+error_parsing_metadata:
|
|
|
80913e |
#ifdef GRUB_UTIL
|
|
|
80913e |
grub_util_info ("error parsing metadata");
|
|
|
80913e |
#endif
|
|
|
80913e |
goto fail2;
|
|
|
80913e |
}
|
|
|
80913e |
|
|
|
80913e |
+ p = q = (char *)ptr;
|
|
|
80913e |
+
|
|
|
80913e |
+ if (grub_add ((grub_size_t)metadatabuf, (grub_size_t)mda_size, &ptr))
|
|
|
80913e |
+ goto error_parsing_metadata;
|
|
|
80913e |
+
|
|
|
80913e |
+ mda_end = (char *)ptr;
|
|
|
80913e |
+
|
|
|
80913e |
+ while (*q != ' ' && q < mda_end)
|
|
|
80913e |
+ q++;
|
|
|
80913e |
+
|
|
|
80913e |
+ if (q == mda_end)
|
|
|
80913e |
+ goto error_parsing_metadata;
|
|
|
80913e |
+
|
|
|
80913e |
vgname_len = q - p;
|
|
|
80913e |
vgname = grub_malloc (vgname_len + 1);
|
|
|
80913e |
if (!vgname)
|
|
|
80913e |
@@ -367,8 +382,25 @@ grub_lvm_detect (grub_disk_t disk,
|
|
|
80913e |
{
|
|
|
80913e |
const char *iptr;
|
|
|
80913e |
char *optr;
|
|
|
80913e |
- lv->fullname = grub_malloc (sizeof ("lvm/") - 1 + 2 * vgname_len
|
|
|
80913e |
- + 1 + 2 * s + 1);
|
|
|
80913e |
+
|
|
|
80913e |
+ /* this is kind of hard to read with our safe (but rather
|
|
|
80913e |
+ * baroque) math primatives, but it boils down to:
|
|
|
80913e |
+ *
|
|
|
80913e |
+ * sz0 = vgname_len * 2 + 1
|
|
|
80913e |
+ * + s * 2 + 1
|
|
|
80913e |
+ * + sizeof ("lvm/") - 1;
|
|
|
80913e |
+ */
|
|
|
80913e |
+ grub_size_t sz0 = vgname_len, sz1 = s;
|
|
|
80913e |
+
|
|
|
80913e |
+ if (grub_mul (sz0, 2, &sz0) ||
|
|
|
80913e |
+ grub_add (sz0, 1, &sz0) ||
|
|
|
80913e |
+ grub_mul (sz1, 2, &sz1) ||
|
|
|
80913e |
+ grub_add (sz1, 1, &sz1) ||
|
|
|
80913e |
+ grub_add (sz0, sz1, &sz0) ||
|
|
|
80913e |
+ grub_add (sz0, sizeof ("lvm/") - 1, &sz0))
|
|
|
80913e |
+ goto lvs_fail;
|
|
|
80913e |
+
|
|
|
80913e |
+ lv->fullname = grub_malloc (sz0);
|
|
|
80913e |
if (!lv->fullname)
|
|
|
80913e |
goto lvs_fail;
|
|
|
80913e |
|