Blame SOURCES/0453-disk-lvm-Don-t-go-beyond-the-end-of-the-data-we-read.patch

80913e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
80913e
From: Daniel Axtens <dja@axtens.net>
80913e
Date: Thu, 21 Jan 2021 17:59:14 +1100
80913e
Subject: [PATCH] disk/lvm: Don't go beyond the end of the data we read from
80913e
 disk
80913e
80913e
We unconditionally trusted offset_xl from the LVM label header, even if
80913e
it told us that the PV header/disk locations were way off past the end
80913e
of the data we read from disk.
80913e
80913e
Require that the offset be sane, fixing an OOB read and crash.
80913e
80913e
Fixes: CID 314367, CID 314371
80913e
80913e
Signed-off-by: Daniel Axtens <dja@axtens.net>
80913e
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
80913e
---
80913e
 grub-core/disk/lvm.c | 14 ++++++++++++++
80913e
 1 file changed, 14 insertions(+)
80913e
80913e
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
b32e65
index 4fbb3eac0..0f466040a 100644
80913e
--- a/grub-core/disk/lvm.c
80913e
+++ b/grub-core/disk/lvm.c
80913e
@@ -142,6 +142,20 @@ grub_lvm_detect (grub_disk_t disk,
80913e
       goto fail;
80913e
     }
80913e
 
80913e
+  /*
80913e
+   * We read a grub_lvm_pv_header and then 2 grub_lvm_disk_locns that
80913e
+   * immediately follow the PV header. Make sure we have space for both.
80913e
+   */
80913e
+  if (grub_le_to_cpu32 (lh->offset_xl) >=
80913e
+      GRUB_LVM_LABEL_SIZE - sizeof (struct grub_lvm_pv_header) -
80913e
+      2 * sizeof (struct grub_lvm_disk_locn))
80913e
+    {
80913e
+#ifdef GRUB_UTIL
80913e
+      grub_util_info ("LVM PV header/disk locations are beyond the end of the block");
80913e
+#endif
80913e
+      goto fail;
80913e
+    }
80913e
+
80913e
   pvh = (struct grub_lvm_pv_header *) (buf + grub_le_to_cpu32(lh->offset_xl));
80913e
 
80913e
   for (i = 0, j = 0; i < GRUB_LVM_ID_LEN; i++)