Blame SOURCES/0416-disk-lvm-Don-t-go-beyond-the-end-of-the-data-we-read.patch

b1bcb2
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b1bcb2
From: Daniel Axtens <dja@axtens.net>
b1bcb2
Date: Thu, 21 Jan 2021 17:59:14 +1100
b1bcb2
Subject: [PATCH] disk/lvm: Don't go beyond the end of the data we read from
b1bcb2
 disk
b1bcb2
b1bcb2
We unconditionally trusted offset_xl from the LVM label header, even if
b1bcb2
it told us that the PV header/disk locations were way off past the end
b1bcb2
of the data we read from disk.
b1bcb2
b1bcb2
Require that the offset be sane, fixing an OOB read and crash.
b1bcb2
b1bcb2
Fixes: CID 314367, CID 314371
b1bcb2
b1bcb2
Signed-off-by: Daniel Axtens <dja@axtens.net>
b1bcb2
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b1bcb2
---
b1bcb2
 grub-core/disk/lvm.c | 14 ++++++++++++++
b1bcb2
 1 file changed, 14 insertions(+)
b1bcb2
b1bcb2
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
b1bcb2
index 5fa9f562e4f..43e2f6ddf3c 100644
b1bcb2
--- a/grub-core/disk/lvm.c
b1bcb2
+++ b/grub-core/disk/lvm.c
b1bcb2
@@ -142,6 +142,20 @@ grub_lvm_detect (grub_disk_t disk,
b1bcb2
       goto fail;
b1bcb2
     }
b1bcb2
 
b1bcb2
+  /*
b1bcb2
+   * We read a grub_lvm_pv_header and then 2 grub_lvm_disk_locns that
b1bcb2
+   * immediately follow the PV header. Make sure we have space for both.
b1bcb2
+   */
b1bcb2
+  if (grub_le_to_cpu32 (lh->offset_xl) >=
b1bcb2
+      GRUB_LVM_LABEL_SIZE - sizeof (struct grub_lvm_pv_header) -
b1bcb2
+      2 * sizeof (struct grub_lvm_disk_locn))
b1bcb2
+    {
b1bcb2
+#ifdef GRUB_UTIL
b1bcb2
+      grub_util_info ("LVM PV header/disk locations are beyond the end of the block");
b1bcb2
+#endif
b1bcb2
+      goto fail;
b1bcb2
+    }
b1bcb2
+
b1bcb2
   pvh = (struct grub_lvm_pv_header *) (buf + grub_le_to_cpu32(lh->offset_xl));
b1bcb2
 
b1bcb2
   for (i = 0, j = 0; i < GRUB_LVM_ID_LEN; i++)