Bug 219000

Summary: [patch] Integer underflow in efipart_realstrategy when I/O starts after end of disk
Product: Base System Reporter: Eric McCorkle <emc2>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Some People CC: cem, emaste, gonzo, tsoome
Priority: --- Keywords: patch
Version: CURRENT   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Patch to fix the problem none

Description Eric McCorkle 2017-05-01 14:41:07 UTC
The efipart_realstrategy function (which performs I/O in the UEFI boot loader) has an integer underflow when the I/O operation starts after the end of the disk.  

This normally causes a crash.
Comment 1 Eric McCorkle 2017-05-01 14:46:22 UTC
Created attachment 182226 [details]
Patch to fix the problem

Review for fix: https://reviews.freebsd.org/D10559
Comment 2 commit-hook freebsd_committer freebsd_triage 2017-07-01 20:25:57 UTC
A commit references this bug:

Author: allanjude
Date: Sat Jul  1 20:25:22 UTC 2017
New revision: 320553
URL: https://svnweb.freebsd.org/changeset/base/320553

Log:
  Integer underflow in efipart_realstrategy when I/O starts after end of disk

  This fixes an integer underflow in efipart_realstrategy, which causes
  crashes when an I/O operation's start point is after the end of the disk.
  This can happen when trying to detect filesystems on very small disks.
  This can occur if a BIOS freebsd-boot partition exists on a system when the
  EFI loader is being used.

  PR:		219000
  Submitted by:	Eric McCorkle <eric@metricspace.net>
  Reviewed by:	cem (previous version), tsoome (previous version)
  MFC after:	1 week
  Differential Revision:	https://reviews.freebsd.org/D10559

Changes:
  head/sys/boot/efi/libefi/efipart.c
Comment 3 commit-hook freebsd_committer freebsd_triage 2018-02-11 02:28:06 UTC
A commit references this bug:

Author: kevans
Date: Sun Feb 11 02:27:52 UTC 2018
New revision: 329114
URL: https://svnweb.freebsd.org/changeset/base/329114

Log:
  MFC Loader Fixes 2017q3: r320547,r320553,r321621,r321844,r321969,r321991,
  r322037,r322038,r322039,r322040,r322056,r322074,r322542,r322592,r322593,
  r322896,r322923,r323671,r322930,r322931,r322932,r322933,r322934,r322935,
  r322936,r322937,r322938,r322939,r322941,r323062,r323063,r323064,r323065,
  r323100,r323131,r323174,r323258,r323261,r323272,r323367,r323379,r323389,
  r323407,r323428,r323436,r323494,r323496,r323497,r323541,r323554,r323589,
  r323707,r323867,r323885,r323886,r323895,r323896,r323897,r323905,r323906,
  r323907,r323908,r323909,r323952,r323991,r324099,r324558,r326445,r326609,
  r326610

  This batch includes a special kludge to fix powerpc loader build; <stdlib.h>
  was included after <stand.h> there, causing problems with DEBUG_MALLOC bits.
  Include <stdlib.h> a little bit earlier to fix the build with the intention
  of removing this when eventually libsa silently replaces stdlib.h with
  stand.h.

  r320547: Link EFI/uboot loaders with -znotext

  r320553: Integer underflow in efipart_realstrategy when I/O starts after end
  of disk

  r321621: Always set the receive mask in loader.efi.

  r321844: Clean up style in print_state(..) and pager_printf(..)

  r321969: Fix the return types for printf and putchar to match their libc

  r321991: Revert r321969

  r322037: Add stpcpy and stpncpy to libstand

  r322038: Add definitions and utilities for EFI drivers

  r322039: Move EFI ZFS functions to libefi

  r322040: Add EFI utility functions to libefi

  r322056: Move EFI fmtdev functionality to libefi

  r322074: libefi/time.c cstyle cleanup

  r322542: loader.efi: repace XXX with real comments in trap.c

  r322592: Remove unused defines.

  r322593: Define proposed GUID for FreeBSD boot loader variables.

  r322896: Make spinconsole platform independent and hook it up into EFI
  loader

  r322923: Hide length of geli passphrase during boot.

  r323671: Fix language used in the r322923.

  r322930: Move efi_main into efi/loader

  r322931: Cleanup efi_main return type

  r322932: Use the loader.efi conventions for the various EFI tables.

  r322933: No need for MK_ZFS around these: they are by their nature only
  active when MK_ZFS is true.

  r322934: _STAND is sometimes defined on the command line. Make the define
  here match.

  r322935: Fix warnings due to type mismatch.

  r322936: Remove useless 'static' for an enum definition.

  r322937: Forward declare struct dsk to avoid warnings when building libi386.

  r322938: Link in libefi for boot1

  r322939: Use efi_devpath_str for debug path info.

  r322941: Eliminate redunant device path matching.

  r323062: Make efichar.c routines available to libefi.

  r323063: boot1.efi: print more info about where boot1.efi is loaded from

  r323064: Exit rather than panic for most errors.

  r323065: Save where we're booted from

  r323100: libstand: nfs_readlink() should return proper return code

  r323131: Revert r322941: Eliminate redundant device matching functions

  r323174: Fix loader bug causing too many pages allocation when bootloader
  is U-Boot

  r323258: ucs2len

  r323261: Fix armv6 build

  r323272: Be consistent and do return (1);

  r323367: Mark init_chroot and init_script variables as deprecated.

  r323379: It's been pointed out that init_script at least is useful w/o

  r323389: loader.efi: chain loader should provide proper device handle

  r323407: boot1 generate-fat: generate all templates at once

  r323428: r323389 breaks the kernel build when WITHOUT_ZFS is defined in
  src.conf

  r323436: boot1: remove BOOT1_MAXSIZE default value

  r323494: loader should support large_dnode

  r323496: libstand: tftp_open() can leak pkt on error

  r323497: libefi: efipart_open should check the status from disk_open

  r323541: libefi: efipart_realstrategy rsize pointer may be NULL

  r323554: Increase EFI boot file size frok 128k to 384k

  r323589: loader: biosmem.c cstyle cleanup

  r323707: loader: biosmem allocate heap just below 4GB

  r323867: libefi: devicename.c cleanups

  r323885: libefi: efi_devpath_match() should return bool

  r323886: libefi: efipart.c should use calloc()

  r323895: libefi: efi_devpath_match local len should be unsigned

  r323896: r323885 did miss efilib.h update

  r323897: efilib.h: typo in structure member description

  r323905: libefi: pdinfo_t pd_unit and pd_open should be unsigned

  r323906: libefi: efipart_strategy() should return ENXIO when there is no
  media

  r323907: libefi: efipart.c cstyle fix for efipart_print_common()

  r323908: libefi: efipart_hdinfo_add_filepath should check strtol result

  r323909: libefi: define EISA PNP constants

  r323952: After the r317886 support for TFTP and NFS can be enable
  simultaneously.

  r323991: libefi: efipart_floppy() will should not pass acpi pointer if the
  HID test fails

  r324099: Compile loader as Little-Endian on PPC64/POWER8

  r324558: Define prototype for exit and ensure references

  r326445: Fix random() and srandom() prototypes to match the standard.

  r326609: Make putenv and getenv match the userland definition

  r326610: Fix random() prototype to match the system.

  PR:		219000 221001 222215
  Relnotes:	yes ("The length of the geli passphrase is hidden during boot")

Changes:
_U  stable/11/
  stable/11/UPDATING
  stable/11/lib/libstand/Makefile
  stable/11/lib/libstand/environment.c
  stable/11/lib/libstand/libstand.3
  stable/11/lib/libstand/nfs.c
  stable/11/lib/libstand/random.c
  stable/11/lib/libstand/stand.h
  stable/11/lib/libstand/tftp.c
  stable/11/sbin/geom/class/eli/geli.8
  stable/11/sbin/geom/class/eli/geom_eli.c
  stable/11/share/mk/src.opts.mk
  stable/11/sys/boot/Makefile.inc
  stable/11/sys/boot/arm/uboot/Makefile
  stable/11/sys/boot/arm/uboot/conf.c
  stable/11/sys/boot/common/loader.8
  stable/11/sys/boot/efi/boot1/Makefile
  stable/11/sys/boot/efi/boot1/Makefile.fat
  stable/11/sys/boot/efi/boot1/boot1.c
  stable/11/sys/boot/efi/boot1/boot_module.h
  stable/11/sys/boot/efi/boot1/fat-amd64.tmpl.bz2.uu
  stable/11/sys/boot/efi/boot1/fat-amd64.tmpl.xz
  stable/11/sys/boot/efi/boot1/fat-arm.tmpl.bz2.uu
  stable/11/sys/boot/efi/boot1/fat-arm.tmpl.xz
  stable/11/sys/boot/efi/boot1/fat-arm64.tmpl.bz2.uu
  stable/11/sys/boot/efi/boot1/fat-arm64.tmpl.xz
  stable/11/sys/boot/efi/boot1/fat-i386.tmpl.bz2.uu
  stable/11/sys/boot/efi/boot1/fat-i386.tmpl.xz
  stable/11/sys/boot/efi/boot1/generate-fat.sh
  stable/11/sys/boot/efi/boot1/ufs_module.c
  stable/11/sys/boot/efi/boot1/zfs_module.c
  stable/11/sys/boot/efi/include/efi.h
  stable/11/sys/boot/efi/include/efi_driver_utils.h
  stable/11/sys/boot/efi/include/efi_drivers.h
  stable/11/sys/boot/efi/include/efiapi.h
  stable/11/sys/boot/efi/include/efichar.h
  stable/11/sys/boot/efi/include/efidevp.h
  stable/11/sys/boot/efi/include/efilib.h
  stable/11/sys/boot/efi/include/efiprot.h
  stable/11/sys/boot/efi/include/efizfs.h
  stable/11/sys/boot/efi/libefi/Makefile
  stable/11/sys/boot/efi/libefi/devicename.c
  stable/11/sys/boot/efi/libefi/devpath.c
  stable/11/sys/boot/efi/libefi/efi_driver_utils.c
  stable/11/sys/boot/efi/libefi/efichar.c
  stable/11/sys/boot/efi/libefi/efinet.c
  stable/11/sys/boot/efi/libefi/efipart.c
  stable/11/sys/boot/efi/libefi/efizfs.c
  stable/11/sys/boot/efi/libefi/errno.c
  stable/11/sys/boot/efi/libefi/libefi.c
  stable/11/sys/boot/efi/libefi/time.c
  stable/11/sys/boot/efi/loader/Makefile
  stable/11/sys/boot/efi/loader/arch/amd64/Makefile.inc
  stable/11/sys/boot/efi/loader/arch/amd64/trap.c
  stable/11/sys/boot/efi/loader/arch/i386/Makefile.inc
  stable/11/sys/boot/efi/loader/bootinfo.c
  stable/11/sys/boot/efi/loader/conf.c
  stable/11/sys/boot/efi/loader/devicename.c
  stable/11/sys/boot/efi/loader/efi_main.c
  stable/11/sys/boot/efi/loader/loader_efi.h
  stable/11/sys/boot/efi/loader/main.c
  stable/11/sys/boot/geli/geliboot.c
  stable/11/sys/boot/geli/geliboot.h
  stable/11/sys/boot/geli/geliboot_crypto.c
  stable/11/sys/boot/geli/geliboot_internal.h
  stable/11/sys/boot/geli/pwgets.c
  stable/11/sys/boot/i386/libi386/Makefile
  stable/11/sys/boot/i386/libi386/biosdisk.c
  stable/11/sys/boot/i386/libi386/biosmem.c
  stable/11/sys/boot/i386/libi386/spinconsole.c
  stable/11/sys/boot/mips/uboot/conf.c
  stable/11/sys/boot/powerpc/ofw/conf.c
  stable/11/sys/boot/powerpc/ofw/ofwfdt.c
  stable/11/sys/boot/powerpc/uboot/conf.c
  stable/11/sys/boot/userboot/test/test.c
  stable/11/sys/boot/userboot/userboot/main.c
  stable/11/sys/boot/userboot/userboot.h
  stable/11/sys/boot/zfs/zfsimpl.c
  stable/11/sys/cddl/boot/zfs/zfsimpl.h
  stable/11/sys/geom/eli/g_eli.c
  stable/11/sys/geom/eli/g_eli.h
  stable/11/sys/geom/eli/g_eli_ctl.c
  stable/11/usr.sbin/bhyveload/bhyveload.c
Comment 4 Oleksandr Tymoshenko freebsd_committer freebsd_triage 2019-01-21 19:32:40 UTC
There is a commit referencing this PR, but it's still not closed and has been inactive for some time. Closing the PR as fixed but feel free to re-open it if the issue hasn't been completely resolved.

Thanks