This prevents infinite recursion in the diskfilter verification code.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Patch-Name: 2021-02-security/090-disk-lvm-Do-not-allow-a-LV-to-be-it-s-own-segment-s-node-s-LV.patch
rlocn->offset is read directly from disk and added to the metadatabuf
pointer to create a pointer to a block of metadata. It's a 64-bit
quantity so as long as you don't overflow you can set subsequent
pointers to point anywhere in memory.
Require that rlocn->offset fits within the metadata buffer size.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Patch-Name: 2021-02-security/089-disk-lvm-Sanitize-rlocn-offset-to-prevent-wild-read.patch
We could reach the end of valid metadata and not realize, leading to
some buffer overreads. Check if we have reached the end and bail.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Patch-Name: 2021-02-security/088-disk-lvm-Do-not-overread-metadata.patch
Clean up a bunch of cases where we could have strstr() fail and lead to
us dereferencing NULL.
We'll still leak memory in some cases (loops don't clean up allocations
from earlier iterations if a later iteration fails) but at least we're
not crashing.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Patch-Name: 2021-02-security/087-disk-lvm-Do-not-crash-if-an-expected-string-is-not-found.patch
There's an if block for the presence of "physical_volumes {", but if
that block is absent, then p remains NULL and a NULL-deref will result
when looking for logical volumes.
It doesn't seem like LVM makes sense without physical volumes, so error
out rather than crashing.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Patch-Name: 2021-02-security/086-disk-lvm-Bail-on-missing-PV-list.patch
This catches at least some OOB reads, and it's possible I suppose that
if 2 * mda_size is less than GRUB_LVM_MDA_HEADER_SIZE it might catch some
OOB writes too (although that hasn't showed up as a crash in fuzzing yet).
It's a bit ugly and I'd appreciate better suggestions.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Patch-Name: 2021-02-security/085-disk-lvm-Don-t-blast-past-the-end-of-the-circular-metadata-buffer.patch
We unconditionally trusted offset_xl from the LVM label header, even if
it told us that the PV header/disk locations were way off past the end
of the data we read from disk.
Require that the offset be sane, fixing an OOB read and crash.
Fixes: CID 314367, CID 314371
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Patch-Name: 2021-02-security/084-disk-lvm-Don-t-go-beyond-the-end-of-the-data-we-read-from-disk.patch
It appears to be possible to make a (possibly invalid) lvm PV with a
metadata size field that overflows our type when adding it to the
address we've allocated. Even if it doesn't, it may be possible to do
so with the math using the outcome of that as an operand. Check them
both.
Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Patch-Name: lvm-overflow.patch
This modifies most of the places we do some form of:
X = malloc(Y * Z);
to use calloc(Y, Z) instead.
Among other issues, this fixes:
- allocation of integer overflow in grub_png_decode_image_header()
reported by Chris Coulson,
- allocation of integer overflow in luks_recover_key()
reported by Chris Coulson,
- allocation of integer overflow in grub_lvm_detect()
reported by Chris Coulson.
Fixes: CVE-2020-14308
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Patch-Name: safe-alloc-3.patch
* include/grub/diskfilter.h (grub_diskfilter_register): Renamed to ..
(grub_diskfilter_register_front): ... this.
(grub_diskfilter_register_back): New function.
All users of grub_diskfilter_register updated.
* Makefile.util.def (libgrubkern.a): Add grub-core/kern/emu/raid.c.
(grub-setup): Remove util/raid.c.
* grub-core/Makefile.core.def (kernel): Add kern/emu/raid.c on emu.
* grub-core/disk/lvm.c (scan_depth): New variable.
(grub_lvm_iterate): Rescan if necessary.
(find_lv): New function based on grub_lvm_open.
(grub_lvm_open): Use find_lv. Rescan on error.
(is_node_readable): New function.
(is_lv_readable): Likewise.
(grub_lvm_scan_device): Skip already found disks.
(do_lvm_scan): New function. Move grub_lvm_scan_device inside of it.
Stop if searched device is found and readable.
* grub-core/disk/raid.c (inscnt): New variable.
(scan_depth): Likewise.
(scan_devices): New function based on grub_raid_register. Abort if
looked for device is found.
(grub_raid_iterate): Rescan if needed.
(find_array): NEw function based on -grub_raid_open.
(grub_raid_open): Use find_array and rescan.
(insert_array): Set became_readable_at.
* grub-core/kern/disk.c (grub_disk_dev_iterate): Iterate though "pull.
* grub-core/kern/emu/getroot.c (grub_util_open_dm) [HAVE_DEVICE_MAPPER]:
New function.
(grub_util_is_lvm) [HAVE_DEVICE_MAPPER]: Use grub_util_open_dm.
(grub_util_pull_device): New function.
(grub_util_get_grub_dev): Call grub_util_pull_device.
* util/raid.c: Moved to ..
* grub-core/kern/emu/raid.c: ... here.
(grub_util_raid_getmembers): New parameter "bootable".
All users updated. Support 1.x.
* include/grub/ata.h (grub_ata_dev): Change iterate prototype.
All users updated.
* include/grub/disk.h (grub_disk_pull_t): New enum.
(grub_disk_dev): Change iterate prototype.
All users updated.
* include/grub/emu/getroot.h (grub_util_raid_getmembers) [__linux__]:
New proto.
* include/grub/emu/hostdisk.h (grub_util_pull_device): Likewise.
* include/grub/lvm.h (grub_lvm_lv): New members fullname and compatname.
* include/grub/raid.h (grub_raid_array): New member became_readable_at.
* include/grub/scsi.h (grub_scsi_dev): Change iterate prototype.
All users updated.
* include/grub/util/raid.h: Removed.
* grub-core/kern/misc.c (grub_divmod64_full): Renamed to ...
(grub_divmod64): ... this.
* include/grub/misc.h (grub_divmod64): Removed. All users switch to full
version.
configurations like pvmove. Previously code assumed that in some places
only lvs or only pvs are used whereas it seems that they are used
interchangeably.
* grub-core/disk/lvm.c (read_node): New function.
(read_lv): Use read_node.
(grub_lvm_scan_device): Use only first mirror on pvmove'd lvs.
Match volumes only at the end when all lvs are found. Take both
pvs (first) and lvs (second) into account.
* include/grub/lvm.h (grub_lvm_segment): Merge fields stripe_* and
mirror_* into node_*. All users updated.
(grub_lvm_stripe): Merge this ...
(grub_lvm_mirror): ... and this ...
(grub_lvm_node): ... into this. All users updated.
All users updated.
* disk/loopback.c (grub_loopback): Remove has_partitions.
All users updated.
(options): Remove partitions. All users updated.
* util/grub-fstest.c (fstest): Don't pass "-p" to loopback.
* util/i386/pc/grub-setup.c (setup): copy partition table only when
actual partition table is found.
