[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 086/117] disk/lvm: Don't go beyond the end of the data w
From: |
Daniel Kiper |
Subject: |
[SECURITY PATCH 086/117] disk/lvm: Don't go beyond the end of the data we read from disk |
Date: |
Tue, 2 Mar 2021 19:01:33 +0100 |
From: Daniel Axtens <dja@axtens.net>
We unconditionally trusted offset_xl from the LVM label header, even if
it told us that the PV header/disk locations were way off past the end
of the data we read from disk.
Require that the offset be sane, fixing an OOB read and crash.
Fixes: CID 314367, CID 314371
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/disk/lvm.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
index 753545146..6988fe492 100644
--- a/grub-core/disk/lvm.c
+++ b/grub-core/disk/lvm.c
@@ -178,6 +178,20 @@ grub_lvm_detect (grub_disk_t disk,
goto fail;
}
+ /*
+ * We read a grub_lvm_pv_header and then 2 grub_lvm_disk_locns that
+ * immediately follow the PV header. Make sure we have space for both.
+ */
+ if (grub_le_to_cpu32 (lh->offset_xl) >=
+ GRUB_LVM_LABEL_SIZE - sizeof (struct grub_lvm_pv_header) -
+ 2 * sizeof (struct grub_lvm_disk_locn))
+ {
+#ifdef GRUB_UTIL
+ grub_util_info ("LVM PV header/disk locations are beyond the end of the
block");
+#endif
+ goto fail;
+ }
+
pvh = (struct grub_lvm_pv_header *) (buf + grub_le_to_cpu32(lh->offset_xl));
for (i = 0, j = 0; i < GRUB_LVM_ID_LEN; i++)
--
2.11.0
- [SECURITY PATCH 068/117] video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du(), (continued)
- [SECURITY PATCH 068/117] video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 072/117] fs/hfsplus: Don't fetch a key beyond the end of the node, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 071/117] fs/fshelp: Catch impermissibly large block sizes in read helper, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 082/117] io/gzio: Bail if gzio->tl/td is NULL, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 078/117] fs/jfs: Catch infinite recursion, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 073/117] fs/hfsplus: Don't use uninitialized data on corrupt filesystems, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 083/117] io/gzio: Add init_dynamic_block() clean up if unpacking codes fails, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 079/117] fs/nilfs2: Reject too-large keys, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 077/117] fs/jfs: Limit the extents that getblk() can consider, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 084/117] io/gzio: Catch missing values in huft_build() and bail, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 086/117] disk/lvm: Don't go beyond the end of the data we read from disk,
Daniel Kiper <=
- [SECURITY PATCH 087/117] disk/lvm: Don't blast past the end of the circular metadata buffer, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 089/117] disk/lvm: Do not crash if an expected string is not found, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 085/117] io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build() fails, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 091/117] disk/lvm: Sanitize rlocn->offset to prevent wild read, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 096/117] kern/parser: Introduce process_char() helper, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 097/117] kern/parser: Introduce terminate_arg() helper, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 080/117] fs/nilfs2: Don't search children if provided number is too large, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 088/117] disk/lvm: Bail on missing PV list, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 099/117] kern/buffer: Add variable sized heap buffer, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 076/117] fs/jfs: Do not move to leaf level if name length is negative, Daniel Kiper, 2021/03/02