Blame SOURCES/0420-disk-lvm-Sanitize-rlocn-offset-to-prevent-wild-read.patch

b1bcb2
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b1bcb2
From: Daniel Axtens <dja@axtens.net>
b1bcb2
Date: Fri, 22 Jan 2021 14:43:58 +1100
b1bcb2
Subject: [PATCH] disk/lvm: Sanitize rlocn->offset to prevent wild read
b1bcb2
b1bcb2
rlocn->offset is read directly from disk and added to the metadatabuf
b1bcb2
pointer to create a pointer to a block of metadata. It's a 64-bit
b1bcb2
quantity so as long as you don't overflow you can set subsequent
b1bcb2
pointers to point anywhere in memory.
b1bcb2
b1bcb2
Require that rlocn->offset fits within the metadata buffer size.
b1bcb2
b1bcb2
Signed-off-by: Daniel Axtens <dja@axtens.net>
b1bcb2
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b1bcb2
---
b1bcb2
 grub-core/disk/lvm.c | 8 ++++++++
b1bcb2
 1 file changed, 8 insertions(+)
b1bcb2
b1bcb2
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
b1bcb2
index 5fb1b69091c..7356ee83935 100644
b1bcb2
--- a/grub-core/disk/lvm.c
b1bcb2
+++ b/grub-core/disk/lvm.c
b1bcb2
@@ -212,6 +212,14 @@ grub_lvm_detect (grub_disk_t disk,
b1bcb2
     }
b1bcb2
 
b1bcb2
   rlocn = mdah->raw_locns;
b1bcb2
+  if (grub_le_to_cpu64 (rlocn->offset) >= grub_le_to_cpu64 (mda_size))
b1bcb2
+    {
b1bcb2
+#ifdef GRUB_UTIL
b1bcb2
+      grub_util_info ("metadata offset is beyond end of metadata area");
b1bcb2
+#endif
b1bcb2
+      goto fail2;
b1bcb2
+    }
b1bcb2
+
b1bcb2
   if (grub_le_to_cpu64 (rlocn->offset) + grub_le_to_cpu64 (rlocn->size) >
b1bcb2
       grub_le_to_cpu64 (mdah->size))
b1bcb2
     {