Integer underflow in efipart_realstrategy when I/O starts after end of disk

This fixes an integer underflow in efipart_realstrategy, which causes crashes when an I/O operation's start point is after the end of the disk. This can happen when trying to detect filesystems on very small disks. This can occur if a BIOS freebsd-boot partition exists on a system when the EFI loader is being used. PR: 219000 Submitted by: Eric McCorkle <eric@metricspace.net> Reviewed by: cem (previous version), tsoome (previous version) MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D10559
2017-07-01 20:25:22 +00:00 · 2017-07-01 20:25:22 +00:00 · e11bad9d2b
commit e11bad9d2b
parent 993d3ded79
1 changed files with 10 additions and 1 deletions
--- a/sys/boot/efi/libefi/efipart.c
+++ b/sys/boot/efi/libefi/efipart.c
@ -888,6 +888,7 @@ efipart_realstrategy(void *devdata, int rw, daddr_t blk, size_t size,
 	char *blkbuf;
 	size_t blkoff, blksz;
 	int error;
+	size_t diskend, readstart;

 	if (dev == NULL || blk < 0)
 		return (EINVAL);
@ -925,7 +926,15 @@ efipart_realstrategy(void *devdata, int rw, daddr_t blk, size_t size,

 	/* make sure we don't read past disk end */
 	if ((off + size) / blkio->Media->BlockSize > d_offset + disk_blocks) {
-		size = d_offset + disk_blocks - off / blkio->Media->BlockSize;
+		diskend = d_offset + disk_blocks;
+		readstart = off / blkio->Media->BlockSize;
+
+		if (diskend <= readstart) {
+			*rsize = 0;
+
+			return (EIO);
+		}
+		size = diskend - readstart;
 		size = size * blkio->Media->BlockSize;
 	}