g_raid: Prevent tasters from attempting excessively large reads

Some g_raid tasters attempt metadata reads in multiples of the provider sectorsize. Reads larger than MAXPHYS are invalid, so detect and abort in such situations. Spiritually similar to r217305 / PR 147851. PR: 214721 Sponsored by: Dell EMC Isilon
2017-01-12 06:58:31 +00:00 · 2017-01-12 06:58:31 +00:00 · b28ea2c250
commit b28ea2c250
parent 8e712af70b
2 changed files with 15 additions and 0 deletions
--- a/sys/geom/raid/md_ddf.c
+++ b/sys/geom/raid/md_ddf.c
@ -1161,6 +1161,16 @@ ddf_meta_read(struct g_consumer *cp, struct ddf_meta *meta)
 		    (GET16(meta, hdr->Configuration_Record_Length) * ss - 512) / 12));
 	}

+	if (GET32(meta, hdr->cd_length) * ss >= MAXPHYS ||
+	    GET32(meta, hdr->pdr_length) * ss >= MAXPHYS ||
+	    GET32(meta, hdr->vdr_length) * ss >= MAXPHYS ||
+	    GET32(meta, hdr->cr_length) * ss >= MAXPHYS ||
+	    GET32(meta, hdr->pdd_length) * ss >= MAXPHYS ||
+	    GET32(meta, hdr->bbmlog_length) * ss >= MAXPHYS) {
+		G_RAID_DEBUG(1, "%s: Blocksize is too big.", pp->name);
+		goto hdrerror;
+	}
+
 	/* Read controller data. */
 	buf = g_read_data(cp, (lba + GET32(meta, hdr->cd_section)) * ss,
 	    GET32(meta, hdr->cd_length) * ss, &error);
--- a/sys/geom/raid/md_promise.c
+++ b/sys/geom/raid/md_promise.c
@ -341,6 +341,11 @@ promise_meta_read(struct g_consumer *cp, struct promise_raid_conf **metaarr)

 	pp = cp->provider;
 	subdisks = 0;
+
+	if (pp->sectorsize * 4 > MAXPHYS) {
+		G_RAID_DEBUG(1, "%s: Blocksize is too big.", pp->name);
+		return (subdisks);
+	}
 next:
 	/* Read metadata block. */
 	buf = g_read_data(cp, pp->mediasize - pp->sectorsize *