From 8ad6f46fb70476de70b63be79bfb4566c56cc0e3 Mon Sep 17 00:00:00 2001 From: krw Date: Thu, 11 Aug 2022 20:22:27 +0000 Subject: [PATCH] Don't trust gpt header data read from disk until after its validity is checked. Found the hard way by kn@ Cluebats from millert@ and deraadt@. Fix tested by and ok kn@ --- sys/kern/subr_disk.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/sys/kern/subr_disk.c b/sys/kern/subr_disk.c index dcb4b224d33..90bdd46d7a7 100644 --- a/sys/kern/subr_disk.c +++ b/sys/kern/subr_disk.c @@ -1,4 +1,4 @@ -/* $OpenBSD: subr_disk.c,v 1.249 2022/08/06 14:48:33 krw Exp $ */ +/* $OpenBSD: subr_disk.c,v 1.250 2022/08/11 20:22:27 krw Exp $ */ /* $NetBSD: subr_disk.c,v 1.17 1996/03/16 23:17:08 christos Exp $ */ /* @@ -470,7 +470,7 @@ gpt_get_hdr(struct buf *bp, void (*strat)(struct buf *), struct disklabel *lp, uint64_t partlba; uint64_t lbaend, lbastart; uint32_t csum; - uint32_t size, partsize, partspersec; + uint32_t size, partsize; error = readdisksector(bp, strat, lp, sector); @@ -481,14 +481,13 @@ gpt_get_hdr(struct buf *bp, void (*strat)(struct buf *), struct disklabel *lp, size = letoh32(ngh.gh_size); partsize = letoh32(ngh.gh_part_size); - partspersec = lp->d_secsize / partsize; partlba = letoh64(ngh.gh_part_lba); lbaend = letoh64(ngh.gh_lba_end); lbastart = letoh64(ngh.gh_lba_start); csum = ngh.gh_csum; ngh.gh_csum = 0; - ngh.gh_csum = htole32(crc32(0, (unsigned char *)&ngh, size)); + ngh.gh_csum = htole32(crc32(0, (unsigned char *)&ngh, GPTMINHDRSIZE)); if (letoh64(ngh.gh_sig) == GPTSIGNATURE && letoh32(ngh.gh_rev) == GPTREVISION && -- 2.20.1