1From 27a79bf38e6d050e497eb96a3fdddce43af25577 Mon Sep 17 00:00:00 2001 2From: Daniel Axtens <dja@axtens.net> 3Date: Thu, 21 Jan 2021 18:19:51 +1100 4Subject: [PATCH] disk/lvm: Don't blast past the end of the circular metadata 5 buffer 6 7This catches at least some OOB reads, and it's possible I suppose that 8if 2 * mda_size is less than GRUB_LVM_MDA_HEADER_SIZE it might catch some 9OOB writes too (although that hasn't showed up as a crash in fuzzing yet). 10 11It's a bit ugly and I'd appreciate better suggestions. 12 13Signed-off-by: Daniel Axtens <dja@axtens.net> 14Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 15Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 16--- 17 grub-core/disk/lvm.c | 10 ++++++++++ 18 1 file changed, 10 insertions(+) 19 20diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c 21index 8136122..36da575 100644 22--- a/grub-core/disk/lvm.c 23+++ b/grub-core/disk/lvm.c 24@@ -214,6 +214,16 @@ grub_lvm_detect (grub_disk_t disk, 25 if (grub_le_to_cpu64 (rlocn->offset) + grub_le_to_cpu64 (rlocn->size) > 26 grub_le_to_cpu64 (mdah->size)) 27 { 28+ if (2 * mda_size < GRUB_LVM_MDA_HEADER_SIZE || 29+ (grub_le_to_cpu64 (rlocn->offset) + grub_le_to_cpu64 (rlocn->size) - 30+ grub_le_to_cpu64 (mdah->size) > mda_size - GRUB_LVM_MDA_HEADER_SIZE)) 31+ { 32+#ifdef GRUB_UTIL 33+ grub_util_info ("cannot copy metadata wrap in circular buffer"); 34+#endif 35+ goto fail2; 36+ } 37+ 38 /* Metadata is circular. Copy the wrap in place. */ 39 grub_memcpy (metadatabuf + mda_size, 40 metadatabuf + GRUB_LVM_MDA_HEADER_SIZE, 41-- 422.14.2 43 44