[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 089/117] disk/lvm: Do not crash if an expected string is
|
From: |
Daniel Kiper |
|
Subject: |
[SECURITY PATCH 089/117] disk/lvm: Do not crash if an expected string is not found |
|
Date: |
Tue, 2 Mar 2021 19:01:36 +0100 |
From: Daniel Axtens <dja@axtens.net>
Clean up a bunch of cases where we could have strstr() fail and lead to
us dereferencing NULL.
We'll still leak memory in some cases (loops don't clean up allocations
from earlier iterations if a later iteration fails) but at least we're
not crashing.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/disk/lvm.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
index 31bbc9acc..201097fda 100644
--- a/grub-core/disk/lvm.c
+++ b/grub-core/disk/lvm.c
@@ -578,7 +578,16 @@ grub_lvm_detect (grub_disk_t disk,
}
if (seg->node_count != 1)
- seg->stripe_size = grub_lvm_getvalue (&p, "stripe_size
= ");
+ {
+ seg->stripe_size = grub_lvm_getvalue (&p,
"stripe_size = ");
+ if (p == NULL)
+ {
+#ifdef GRUB_UTIL
+ grub_util_info ("unknown stripe_size");
+#endif
+ goto lvs_segment_fail;
+ }
+ }
seg->nodes = grub_calloc (seg->node_count,
sizeof (*stripe));
@@ -598,7 +607,7 @@ grub_lvm_detect (grub_disk_t disk,
{
p = grub_strchr (p, '"');
if (p == NULL)
- continue;
+ goto lvs_segment_fail2;
q = ++p;
while (*q != '"')
q++;
@@ -617,7 +626,10 @@ grub_lvm_detect (grub_disk_t disk,
stripe->start = grub_lvm_getvalue (&p, ",")
* vg->extent_size;
if (p == NULL)
- continue;
+ {
+ grub_free (stripe->name);
+ goto lvs_segment_fail2;
+ }
stripe++;
}
@@ -654,7 +666,7 @@ grub_lvm_detect (grub_disk_t disk,
p = grub_strchr (p, '"');
if (p == NULL)
- continue;
+ goto lvs_segment_fail2;
q = ++p;
while (*q != '"')
q++;
@@ -742,7 +754,7 @@ grub_lvm_detect (grub_disk_t disk,
p = p ? grub_strchr (p + 1, '"') : 0;
p = p ? grub_strchr (p + 1, '"') : 0;
if (p == NULL)
- continue;
+ goto lvs_segment_fail2;
q = ++p;
while (*q != '"')
q++;
--
2.11.0
- [SECURITY PATCH 071/117] fs/fshelp: Catch impermissibly large block sizes in read helper, (continued)
- [SECURITY PATCH 071/117] fs/fshelp: Catch impermissibly large block sizes in read helper, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 082/117] io/gzio: Bail if gzio->tl/td is NULL, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 078/117] fs/jfs: Catch infinite recursion, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 073/117] fs/hfsplus: Don't use uninitialized data on corrupt filesystems, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 083/117] io/gzio: Add init_dynamic_block() clean up if unpacking codes fails, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 079/117] fs/nilfs2: Reject too-large keys, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 077/117] fs/jfs: Limit the extents that getblk() can consider, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 084/117] io/gzio: Catch missing values in huft_build() and bail, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 086/117] disk/lvm: Don't go beyond the end of the data we read from disk, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 087/117] disk/lvm: Don't blast past the end of the circular metadata buffer, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 089/117] disk/lvm: Do not crash if an expected string is not found,
Daniel Kiper <=
- [SECURITY PATCH 085/117] io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build() fails, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 091/117] disk/lvm: Sanitize rlocn->offset to prevent wild read, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 096/117] kern/parser: Introduce process_char() helper, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 097/117] kern/parser: Introduce terminate_arg() helper, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 080/117] fs/nilfs2: Don't search children if provided number is too large, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 088/117] disk/lvm: Bail on missing PV list, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 099/117] kern/buffer: Add variable sized heap buffer, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 076/117] fs/jfs: Do not move to leaf level if name length is negative, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 075/117] fs/sfs: Fix over-read of root object name, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 074/117] fs/hfs: Disable under lockdown, Daniel Kiper, 2021/03/02