geom_part: Fix potential integer overflow when checking size of the table

`hdr_entries` and `hdr_entsz` are both uint32_t as defined in UEFI spec. Current spec does not have upper limit of the number of partition entries and the size of partition entry, it is potential that malicious or corrupted GPT header read from untrusted source contains large size of entry number or size. PR: 266548 Reviewed by: oshogbo, cem, imp, markj Approved by: kp (mentor) MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D36709
2024-07-22 10:48:02 +00:00 · 2022-12-21 09:04:30 +08:00 · 2022-12-21 09:04:30 +08:00 · 2e543af13a
parent 54f3a781a2
commit 2e543af13a
1 changed files with 2 additions and 1 deletions
--- a/sys/geom/part/g_part_gpt.c
+++ b/sys/geom/part/g_part_gpt.c
@ -515,7 +515,8 @@ gpt_read_hdr(struct g_part_gpt_table *table, struct g_consumer *cp,
 	    hdr->hdr_lba_table <= hdr->hdr_lba_end)
 		goto fail;
 	lba = hdr->hdr_lba_table +
-	    howmany(hdr->hdr_entries * hdr->hdr_entsz, pp->sectorsize) - 1;
+	    howmany((uint64_t)hdr->hdr_entries * hdr->hdr_entsz,
+	        pp->sectorsize) - 1;
 	if (lba >= last)
 		goto fail;
 	if (lba >= hdr->hdr_lba_start && lba <= hdr->hdr_lba_end)