Blame SOURCES/0453-disk-lvm-Don-t-go-beyond-the-end-of-the-data-we-read.patch

468bd4
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
468bd4
From: Daniel Axtens <dja@axtens.net>
468bd4
Date: Thu, 21 Jan 2021 17:59:14 +1100
468bd4
Subject: [PATCH] disk/lvm: Don't go beyond the end of the data we read from
468bd4
 disk
468bd4
468bd4
We unconditionally trusted offset_xl from the LVM label header, even if
468bd4
it told us that the PV header/disk locations were way off past the end
468bd4
of the data we read from disk.
468bd4
468bd4
Require that the offset be sane, fixing an OOB read and crash.
468bd4
468bd4
Fixes: CID 314367, CID 314371
468bd4
468bd4
Signed-off-by: Daniel Axtens <dja@axtens.net>
468bd4
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
468bd4
---
468bd4
 grub-core/disk/lvm.c | 14 ++++++++++++++
468bd4
 1 file changed, 14 insertions(+)
468bd4
468bd4
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
468bd4
index 4fbb3eac0ea..0f466040a55 100644
468bd4
--- a/grub-core/disk/lvm.c
468bd4
+++ b/grub-core/disk/lvm.c
468bd4
@@ -142,6 +142,20 @@ grub_lvm_detect (grub_disk_t disk,
468bd4
       goto fail;
468bd4
     }
468bd4
 
468bd4
+  /*
468bd4
+   * We read a grub_lvm_pv_header and then 2 grub_lvm_disk_locns that
468bd4
+   * immediately follow the PV header. Make sure we have space for both.
468bd4
+   */
468bd4
+  if (grub_le_to_cpu32 (lh->offset_xl) >=
468bd4
+      GRUB_LVM_LABEL_SIZE - sizeof (struct grub_lvm_pv_header) -
468bd4
+      2 * sizeof (struct grub_lvm_disk_locn))
468bd4
+    {
468bd4
+#ifdef GRUB_UTIL
468bd4
+      grub_util_info ("LVM PV header/disk locations are beyond the end of the block");
468bd4
+#endif
468bd4
+      goto fail;
468bd4
+    }
468bd4
+
468bd4
   pvh = (struct grub_lvm_pv_header *) (buf + grub_le_to_cpu32(lh->offset_xl));
468bd4
 
468bd4
   for (i = 0, j = 0; i < GRUB_LVM_ID_LEN; i++)