[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 090/117] disk/lvm: Do not overread metadata
From: |
Daniel Kiper |
Subject: |
[SECURITY PATCH 090/117] disk/lvm: Do not overread metadata |
Date: |
Tue, 2 Mar 2021 19:01:37 +0100 |
From: Daniel Axtens <dja@axtens.net>
We could reach the end of valid metadata and not realize, leading to
some buffer overreads. Check if we have reached the end and bail.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/disk/lvm.c | 35 +++++++++++++++++++++++++++++------
1 file changed, 29 insertions(+), 6 deletions(-)
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
index 201097fda..7efbaec79 100644
--- a/grub-core/disk/lvm.c
+++ b/grub-core/disk/lvm.c
@@ -352,17 +352,23 @@ grub_lvm_detect (grub_disk_t disk,
while (1)
{
grub_ssize_t s;
- while (grub_isspace (*p))
+ while (grub_isspace (*p) && p < mda_end)
p++;
+ if (p == mda_end)
+ goto fail4;
+
if (*p == '}')
break;
pv = grub_zalloc (sizeof (*pv));
q = p;
- while (*q != ' ')
+ while (*q != ' ' && q < mda_end)
q++;
+ if (q == mda_end)
+ goto pvs_fail_noname;
+
s = q - p;
pv->name = grub_malloc (s + 1);
grub_memcpy (pv->name, p, s);
@@ -405,6 +411,7 @@ grub_lvm_detect (grub_disk_t disk,
continue;
pvs_fail:
grub_free (pv->name);
+ pvs_fail_noname:
grub_free (pv);
goto fail4;
}
@@ -426,18 +433,24 @@ grub_lvm_detect (grub_disk_t disk,
struct grub_diskfilter_segment *seg;
int is_pvmove;
- while (grub_isspace (*p))
+ while (grub_isspace (*p) && p < mda_end)
p++;
+ if (p == mda_end)
+ goto fail4;
+
if (*p == '}')
break;
lv = grub_zalloc (sizeof (*lv));
q = p;
- while (*q != ' ')
+ while (*q != ' ' && q < mda_end)
q++;
+ if (q == mda_end)
+ goto lvs_fail;
+
s = q - p;
lv->name = grub_strndup (p, s);
if (!lv->name)
@@ -609,9 +622,12 @@ grub_lvm_detect (grub_disk_t disk,
if (p == NULL)
goto lvs_segment_fail2;
q = ++p;
- while (*q != '"')
+ while (q < mda_end && *q != '"')
q++;
+ if (q == mda_end)
+ goto lvs_segment_fail2;
+
s = q - p;
stripe->name = grub_malloc (s + 1);
@@ -668,9 +684,12 @@ grub_lvm_detect (grub_disk_t disk,
if (p == NULL)
goto lvs_segment_fail2;
q = ++p;
- while (*q != '"')
+ while (q < mda_end && *q != '"')
q++;
+ if (q == mda_end)
+ goto lvs_segment_fail2;
+
s = q - p;
lvname = grub_malloc (s + 1);
@@ -826,6 +845,8 @@ grub_lvm_detect (grub_disk_t disk,
goto cache_lv_fail;
p3 = ++p2;
+ if (p3 == mda_end)
+ goto cache_lv_fail;
p3 = grub_strchr (p3, '"');
if (!p3)
goto cache_lv_fail;
@@ -847,6 +868,8 @@ grub_lvm_detect (grub_disk_t disk,
goto cache_lv_fail;
p3 = ++p2;
+ if (p3 == mda_end)
+ goto cache_lv_fail;
p3 = grub_strchr (p3, '"');
if (!p3)
goto cache_lv_fail;
--
2.11.0
- [SECURITY PATCH 097/117] kern/parser: Introduce terminate_arg() helper, (continued)
- [SECURITY PATCH 097/117] kern/parser: Introduce terminate_arg() helper, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 080/117] fs/nilfs2: Don't search children if provided number is too large, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 088/117] disk/lvm: Bail on missing PV list, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 099/117] kern/buffer: Add variable sized heap buffer, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 076/117] fs/jfs: Do not move to leaf level if name length is negative, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 075/117] fs/sfs: Fix over-read of root object name, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 074/117] fs/hfs: Disable under lockdown, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 094/117] fs/btrfs: Squash some uninitialized reads, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 081/117] fs/nilfs2: Properly bail on errors in grub_nilfs2_btree_node_lookup(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 093/117] fs/btrfs: Validate the number of stripes/parities in RAID5/6, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 090/117] disk/lvm: Do not overread metadata,
Daniel Kiper <=
- [SECURITY PATCH 095/117] kern/parser: Fix a memory leak, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 092/117] disk/lvm: Do not allow a LV to be it's own segment's node's LV, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 098/117] kern/parser: Refactor grub_parser_split_cmdline() cleanup, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 102/117] util/mkimage: Remove unused code to add BSS section, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 108/117] util/mkimage: Refactor section setup to use a helper, Daniel Kiper, 2021/03/02