diff options
| author | Jasraj Bedi <jasrajb@google.com> | 2020-06-06 01:42:05 +0000 |
|---|---|---|
| committer | Anis Assi <anisassi@google.com> | 2020-11-12 11:45:25 -0800 |
| commit | c3a4c4a554efc93fa1172e938cf50d405ff979a8 (patch) | |
| tree | 90eb721b3e8d0c1c83a5e283924627b7226df49b | |
| parent | c59dc86402e2990ca4a2dd81c6f7c2bd7d2d85ad (diff) | |
| download | gptfdisk-oreo-security-release.tar.gz | |
RESTRICT AUTOMERGEandroid-security-8.0.0_r54oreo-security-release
ANDROID: Fix negative stack write in sgdisk
A maliciously formatted USB or SD Card device when inserted into an Android device could crash sgdisk. This crash occurs because sgdisk does does not validate the number of cyclic partitions, which leads to an integer underflow ultimately causing a negative indexed stack write.
Fix this by making sure the number of partitions don't go negative.
After the fix, sgdisk detects the broken GPT and partitions it correctly
Author: jasrajb@google.com
Bug: 158063095
Test: before fix, sgdisk crashed when USB with malicious GPT was inserted
Test: after fix, sgdisk didn't crash
Test: went through the "formatting" wizard with a malicious GPT and sgdisk successfully reformatted it to vfat
Change-Id: Ie0257a68f6a0140b98fb7d104dc2ffd1f5c2afde
(cherry picked from commit e384a934c4f887fd04bb56635120dc679e54808a)
| -rw-r--r-- | basicmbr.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/basicmbr.cc b/basicmbr.cc index 23f35b4..81e42ca 100644 --- a/basicmbr.cc +++ b/basicmbr.cc @@ -260,7 +260,8 @@ int BasicMBRData::ReadLogicalParts(uint64_t extendedStart, int partNum) { if (EbrLocations[i] == offset) { // already read this one; infinite logical partition loop! cerr << "Logical partition infinite loop detected! This is being corrected.\n"; allOK = -1; - partNum -= 1; + if(partNum > 0) //don't go negative + partNum -= 1; } // if } // for EbrLocations[partNum] = offset; |