diff options
| author | Jasraj Bedi <jasrajb@google.com> | 2020-06-06 01:42:05 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2020-11-18 22:50:32 +0000 |
| commit | 6d369451868ce71618144c4f4bd645ae48f0d1c5 (patch) | |
| tree | 869249bbe6844741362dde911c3ed32947641cb8 | |
| parent | a87dd6178cc6a58ab0ebc9dafbbe171017e1eebf (diff) | |
| download | gptfdisk-6d369451868ce71618144c4f4bd645ae48f0d1c5.tar.gz | |
RESTRICT AUTOMERGE
ANDROID: Fix negative stack write in sgdisk
A maliciously formatted USB or SD Card device when inserted into an Android device could crash sgdisk. This crash occurs because sgdisk does does not validate the number of cyclic partitions, which leads to an integer underflow ultimately causing a negative indexed stack write.
Fix this by making sure the number of partitions don't go negative.
After the fix, sgdisk detects the broken GPT and partitions it correctly
Author: jasrajb@google.com
Bug: 158063095
Test: before fix, sgdisk crashed when USB with malicious GPT was inserted
Test: after fix, sgdisk didn't crash
Test: went through the "formatting" wizard with a malicious GPT and sgdisk successfully reformatted it to vfat
Change-Id: Ie0257a68f6a0140b98fb7d104dc2ffd1f5c2afde
(cherry picked from commit 28ba37956b338e4d5c58f7d8c43c4153f057d482)
| -rw-r--r-- | basicmbr.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/basicmbr.cc b/basicmbr.cc index 8ac9789..e9ac5c5 100644 --- a/basicmbr.cc +++ b/basicmbr.cc @@ -292,7 +292,8 @@ int BasicMBRData::ReadLogicalParts(uint64_t extendedStart, int partNum) { if (EbrLocations[i] == offset) { // already read this one; infinite logical partition loop! cerr << "Logical partition infinite loop detected! This is being corrected.\n"; allOK = -1; - partNum -= 1; + if(partNum > 0) //don't go negative + partNum -= 1; } // if } // for EbrLocations[partNum] = offset; |