Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 13 May 2016 08:54:08 +0000 (UTC)
From:      Garrett Cooper <ngie@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r299629 - stable/10/sys/geom/part
Message-ID:  <201605130854.u4D8s8Zl071515@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: ngie
Date: Fri May 13 08:54:08 2016
New Revision: 299629
URL: https://svnweb.freebsd.org/changeset/base/299629

Log:
  MFC r298671,r298672:
  
  r298671 (by cem):
  
  g_part_bsd64: Check for valid on-disk npartitions value
  
  This value is u32 on disk, but assigned to an int in memory.  After we do the
  implicit conversion via assignment, check that the result is at least one[1]
  (non-negative[2]).
  
  1. The subsequent for-loop iterates from gpt_entries minus one, down, until
     reaching zero.  A negative or zero initial index results in undefined signed
     integer overflow.
  2. It is also used to index into arrays later.
  
  In practice, we expected non-malicious disks to contain small positive values.
  
  CID:		1223202
  
  r298672 (by cem):
  
  g_part_bsd64: Delete duplicate/dead code
  
  RAW_PART is handled earlier in the loop.
  
  CID:		1223201

Modified:
  stable/10/sys/geom/part/g_part_bsd64.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/geom/part/g_part_bsd64.c
==============================================================================
--- stable/10/sys/geom/part/g_part_bsd64.c	Fri May 13 08:51:51 2016	(r299628)
+++ stable/10/sys/geom/part/g_part_bsd64.c	Fri May 13 08:54:08 2016	(r299629)
@@ -510,7 +510,8 @@ g_part_bsd64_read(struct g_part_table *b
 
 	dlp = (struct disklabel64 *)buf;
 	basetable->gpt_entries = le32toh(dlp->d_npartitions);
-	if (basetable->gpt_entries > MAXPARTITIONS64)
+	if (basetable->gpt_entries > MAXPARTITIONS64 ||
+	    basetable->gpt_entries < 1)
 		goto invalid_label;
 	v32 = le32toh(dlp->d_crc);
 	dlp->d_crc = 0;
@@ -563,8 +564,6 @@ g_part_bsd64_read(struct g_part_table *b
 		le_uuid_dec(&dlp->d_partitions[index].p_stor_uuid,
 		    &entry->stor_uuid);
 		entry->fstype = dlp->d_partitions[index].p_fstype;
-		if (index == RAW_PART)
-			baseentry->gpe_internal = 1;
 	}
 	bcopy(dlp->d_reserved0, table->d_reserved0,
 	    sizeof(table->d_reserved0));

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605130854.u4D8s8Zl071515>