1From 701293684742d00133b39bf957d3642c81dc83f4 Mon Sep 17 00:00:00 2001 2From: Daniel Axtens <dja@axtens.net> 3Date: Fri, 22 Jan 2021 14:43:58 +1100 4Subject: [PATCH] disk/lvm: Sanitize rlocn->offset to prevent wild read 5 6rlocn->offset is read directly from disk and added to the metadatabuf 7pointer to create a pointer to a block of metadata. It's a 64-bit 8quantity so as long as you don't overflow you can set subsequent 9pointers to point anywhere in memory. 10 11Require that rlocn->offset fits within the metadata buffer size. 12 13Signed-off-by: Daniel Axtens <dja@axtens.net> 14Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 15Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 16--- 17 grub-core/disk/lvm.c | 8 ++++++++ 18 1 file changed, 8 insertions(+) 19 20diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c 21index 742ecd6..ed0712f 100644 22--- a/grub-core/disk/lvm.c 23+++ b/grub-core/disk/lvm.c 24@@ -211,6 +211,14 @@ grub_lvm_detect (grub_disk_t disk, 25 } 26 27 rlocn = mdah->raw_locns; 28+ if (grub_le_to_cpu64 (rlocn->offset) >= grub_le_to_cpu64 (mda_size)) 29+ { 30+#ifdef GRUB_UTIL 31+ grub_util_info ("metadata offset is beyond end of metadata area"); 32+#endif 33+ goto fail2; 34+ } 35+ 36 if (grub_le_to_cpu64 (rlocn->offset) + grub_le_to_cpu64 (rlocn->size) > 37 grub_le_to_cpu64 (mdah->size)) 38 { 39-- 402.14.2 41 42