From: Daniel Axtens <dja@axtens.net>
Date: Fri, 22 Jan 2021 03:43:58 +0000 (+1100)
Subject: disk/lvm: Sanitize rlocn->offset to prevent wild read
X-Git-Tag: grub-2.06-rc1~52
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=701293684742d00133b39bf957d3642c81dc83f4;p=thirdparty%2Fgrub.git

disk/lvm: Sanitize rlocn->offset to prevent wild read

rlocn->offset is read directly from disk and added to the metadatabuf
pointer to create a pointer to a block of metadata. It's a 64-bit
quantity so as long as you don't overflow you can set subsequent
pointers to point anywhere in memory.

Require that rlocn->offset fits within the metadata buffer size.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---

diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
index 7efbaec79..4e17b8897 100644
--- a/grub-core/disk/lvm.c
+++ b/grub-core/disk/lvm.c
@@ -248,6 +248,14 @@ grub_lvm_detect (grub_disk_t disk,
     }
 
   rlocn = mdah->raw_locns;
+  if (grub_le_to_cpu64 (rlocn->offset) >= grub_le_to_cpu64 (mda_size))
+    {
+#ifdef GRUB_UTIL
+      grub_util_info ("metadata offset is beyond end of metadata area");
+#endif
+      goto fail2;
+    }
+
   if (grub_le_to_cpu64 (rlocn->offset) + grub_le_to_cpu64 (rlocn->size) >
       grub_le_to_cpu64 (mdah->size))
     {