Subject: kern/34026: invalid data could cause kernel panic in src/sys/dev/dkwedge/dkwedge_gpt.c
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <jakllsch@kollasch.net>
List: netbsd-bugs
Date: 07/18/2006 02:55:00
>Number: 34026
>Category: kern
>Synopsis: invalid data could cause kernel panic in src/sys/dev/dkwedge/dkwedge_gpt.c
>Confidential: no
>Severity: critical
>Priority: low
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Jul 18 02:55:00 +0000 2006
>Originator: Jonathan A. Kollasch
>Release: NetBSD 3.0
>Organization:
>Environment:
System: NetBSD kirkkit.kollasch.net 3.0 NetBSD 3.0 (KIRKKIT) #1: Sat Jul 1 19:22:44 CDT 2006 root@kirkkit.kollasch.net:/usr/src/sys/arch/i386/compile/KIRKKIT i386
Architecture: i386
Machine: i386
>Description:
In gpt_verify_header_crc() if hdr->hdr_size is larger than the size of the buffer
hdr is in an in-kernel segmentation fault could occur. Just plugging in a umass(4)
with specially crafted data could cause this to happen.
>How-To-Repeat:
Put a number greater than 512 in the hdr_size element of the on-disk header,
attach disk to kernel.
>Fix:
Don't check the CRC if the length is obviously bogus.