git.sourceforge.jp Git - android-x86/external-efivar.git/commit

author	Peter Jones <pjones@redhat.com>
	Tue, 9 May 2017 18:20:13 +0000 (14:20 -0400)
committer	Peter Jones <pjones@redhat.com>
	Tue, 9 May 2017 20:03:42 +0000 (16:03 -0400)
commit	29a53c93ce063c8272e44f4981201a4752fc6ba1
tree	2c9e5b5a902531489059c69229b030d64817e968	tree \| snapshot
parent	9d74090cea256021e68b204c4770a5df28398cbd	commit \| diff

gpt: try to avoid trusting unverified partition table data.

Covscan complains thusly:
4. efivar-31/src/gpt.c:338: tainted_data_return: Function "alloc_read_gpt_header" returns tainted data.
7. efivar-31/src/gpt.c:311:2: tainted_data_argument: Function "read_lba" taints argument "gpt".
12. efivar-31/src/gpt.c:245:2: tainted_data_argument: Calling function "read" taints parameter "*iobuf". [Note: The source code implementation of the function has been overridden by a builtin model.]
13. efivar-31/src/gpt.c:246:2: tainted_data_transitive: "memcpy" taints argument "buffer" because argument "iobuf" is tainted. [Note: The source code implementation of the function has been overridden by a builtin model.]
16. efivar-31/src/gpt.c:316:2: return_tainted_data: Returning tainted variable "gpt".
17. efivar-31/src/gpt.c:338: var_assign: Assigning: "*gpt" = "alloc_read_gpt_header", which taints "*gpt".
26. efivar-31/src/gpt.c:382: tainted_data: Passing tainted variable "(*gpt)->num_partition_entries" to a tainted sink.
27. efivar-31/src/gpt.c:272:15: var_assign_alias: Assigning: "count" = "(__u32)(__le32)gpt->num_partition_entries * (__u32)(__le32)gpt->sizeof_partition_entry". Both are now tainted.
30. efivar-31/src/gpt.c:278:2: tainted_data_sink_lv_call: Passing tainted variable "count" to tainted data sink "malloc".

Hopefully this patch validates num_partition_entries and
sizeof_partition_entry well enough...

Signed-off-by: Peter Jones <pjones@redhat.com>

src/disk.c		diff \| blob \| history
src/gpt.c		diff \| blob \| history
src/gpt.h		diff \| blob \| history