From 375eedc71f7eb42252edd96c53c4ab336b40ed32 Mon Sep 17 00:00:00 2001 From: ngie Date: Fri, 13 May 2016 08:54:08 +0000 Subject: [PATCH] MFC r298671,r298672: r298671 (by cem): g_part_bsd64: Check for valid on-disk npartitions value This value is u32 on disk, but assigned to an int in memory. After we do the implicit conversion via assignment, check that the result is at least one[1] (non-negative[2]). 1. The subsequent for-loop iterates from gpt_entries minus one, down, until reaching zero. A negative or zero initial index results in undefined signed integer overflow. 2. It is also used to index into arrays later. In practice, we expected non-malicious disks to contain small positive values. CID: 1223202 r298672 (by cem): g_part_bsd64: Delete duplicate/dead code RAW_PART is handled earlier in the loop. CID: 1223201 git-svn-id: svn://svn.freebsd.org/base/stable/10@299629 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- sys/geom/part/g_part_bsd64.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/sys/geom/part/g_part_bsd64.c b/sys/geom/part/g_part_bsd64.c index 7586c9447..b49829873 100644 --- a/sys/geom/part/g_part_bsd64.c +++ b/sys/geom/part/g_part_bsd64.c @@ -510,7 +510,8 @@ g_part_bsd64_read(struct g_part_table *basetable, struct g_consumer *cp) dlp = (struct disklabel64 *)buf; basetable->gpt_entries = le32toh(dlp->d_npartitions); - if (basetable->gpt_entries > MAXPARTITIONS64) + if (basetable->gpt_entries > MAXPARTITIONS64 || + basetable->gpt_entries < 1) goto invalid_label; v32 = le32toh(dlp->d_crc); dlp->d_crc = 0; @@ -563,8 +564,6 @@ g_part_bsd64_read(struct g_part_table *basetable, struct g_consumer *cp) le_uuid_dec(&dlp->d_partitions[index].p_stor_uuid, &entry->stor_uuid); entry->fstype = dlp->d_partitions[index].p_fstype; - if (index == RAW_PART) - baseentry->gpe_internal = 1; } bcopy(dlp->d_reserved0, table->d_reserved0, sizeof(table->d_reserved0)); -- 2.45.0