From a89d4c992f486f4b04c7035cfd937b6372df21f2 Mon Sep 17 00:00:00 2001 From: Alden Tondettar Date: Mon, 23 Jan 2017 23:28:00 -0700 Subject: [PATCH] libblkid: Fix out of bounds reads on bad GPT header If a GUID Partition Table claims to have more than 2**25 entries, or if the size of each entry is not exactly 128 bytes, libblkid can read out of bounds and segfault. Perform the appropriate checks. [kzak@redhat.com: - fix typo] Signed-off-by: Alden Tondettar Signed-off-by: Karel Zak --- libblkid/src/partitions/gpt.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/libblkid/src/partitions/gpt.c b/libblkid/src/partitions/gpt.c index e6baa598b8..d987236d3e 100644 --- a/libblkid/src/partitions/gpt.c +++ b/libblkid/src/partitions/gpt.c @@ -210,7 +210,7 @@ static struct gpt_header *get_gpt_header( struct gpt_header *h; uint32_t crc; uint64_t lu, fu; - size_t esz; + uint64_t esz; uint32_t hsz, ssz; ssz = blkid_probe_get_sectorsize(pr); @@ -264,17 +264,16 @@ static struct gpt_header *get_gpt_header( return NULL; } - if (le32_to_cpu(h->num_partition_entries) == 0 || - le32_to_cpu(h->sizeof_partition_entry) == 0 || - ULONG_MAX / le32_to_cpu(h->num_partition_entries) < le32_to_cpu(h->sizeof_partition_entry)) { + /* Size of blocks with GPT entries */ + esz = (uint64_t)le32_to_cpu(h->num_partition_entries) * + le32_to_cpu(h->sizeof_partition_entry); + + if (esz == 0 || esz >= UINT32_MAX || + le32_to_cpu(h->sizeof_partition_entry) != sizeof(struct gpt_entry)) { DBG(LOWPROBE, ul_debug("GPT entries undefined")); return NULL; } - /* Size of blocks with GPT entries */ - esz = le32_to_cpu(h->num_partition_entries) * - le32_to_cpu(h->sizeof_partition_entry); - /* The header seems valid, save it * (we don't care about zeros in hdr->reserved2 area) */ memcpy(hdr, h, sizeof(*h)); -- 2.47.2