Page MenuHomeFreeBSD

Bug 219000 - Integer underflow in efipart_realstrategy when I/O starts after end of disk
ClosedPublic

Authored by eric_metricspace.net on May 1 2017, 2:44 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Dec 20, 5:23 PM
Unknown Object (File)
Fri, Dec 20, 4:16 PM
Unknown Object (File)
Fri, Dec 20, 4:13 PM
Unknown Object (File)
Fri, Dec 20, 3:44 PM
Unknown Object (File)
Fri, Dec 20, 10:18 AM
Unknown Object (File)
Wed, Dec 4, 11:58 PM
Unknown Object (File)
Thu, Nov 28, 2:48 AM
Unknown Object (File)
Thu, Nov 28, 2:47 AM
Subscribers

Details

Summary

This fixes an integer underflow in efipart_realstrategy, which causes crashes when an I/O operation's start point is after the end of the disk.

This can happen when trying to detect filesystems on very small disks. This can occur if a BIOS freebsd-boot partition exists on a system when the EFI loader is being used.

Test Plan

This has been confirmed to fix the problem in the course of GELI debugging.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

tsoome added inline comments.
sys/boot/efi/libefi/efipart.c
929–937

this will overflow as d_offset is uint64_t.

930

can this overflow?

sys/boot/efi/libefi/efipart.c
929–937

I thought size_t was a uint64_t

sys/boot/efi/libefi/efipart.c
929–937

you also have to keep in mind that we will need the same code for UEFI32 - even as we do not built it at the moment:) Otherwise Allanjude will be real sad;)

cem added a subscriber: cem.

Thanks!

sys/boot/efi/libefi/efipart.c
929–938

Style(9) puts these declarations at the top of the function.

935

Should we return an error? ENXIO / EINVAL?

sys/boot/efi/libefi/efipart.c
935

The cross boundary reads in biosdisk.c are returning EIO.

Also, it did occur me that it probably is good idea to try to keep the similar implementations as the basic logic should be the same anyhow. So I suggest to check biosdisk.c too (and maybe discover some hidden corner case there:D)

eric_metricspace.net marked 4 inline comments as done.

Addressed style comments

sys/boot/efi/libefi/efipart.c
930

Note: the original problem was an underflow, namely that (off / blkio->Media->BlockSize) was greater than (d_offset + disk_blocks), which would be negative, but wraps around to a really huge number because it's unsigned math.

The only way to overflow here would be to have a partitions whose offsets exceed the capacity of size_t.

This revision is now accepted and ready to land.Jul 1 2017, 8:06 PM
This revision was automatically updated to reflect the committed changes.