From c232867d8f967c55c393209d922dc51faae2969a Mon Sep 17 00:00:00 2001 From: Alistair Delva Date: Wed, 20 May 2020 13:26:49 -0700 Subject: ANDROID: Fix heap overflow in sgdisk If a maliciously formatted USB or SD Card device was inserted into an Android device, the sgdisk tool could crash. This crash occurs because sgdisk does not validate that the number of GPT partition entries specified on disk matches the internal maximum permitted by the GPT spec. Fix this by sanity checking the on disk parameter before using it. After the fix, sgdisk detects the corrupt GPT during the formatting procedure, but it is harmlessly zapped and replaced with a new one. Test: before fix, saw sgdisk crash while the device was booting up Test: after fix, no more sgdisk crashes Test: went through "portable storage" and "adopted storage" wizard flows using the cuttlefish virtual device and a malicious partition table flashed to the device Bug: 152874864 Change-Id: Iec64bc2ef5c31ad985126f9cf3b755eec7de3abe --- gpt.cc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/gpt.cc b/gpt.cc index 9ad769a..303bdf7 100644 --- a/gpt.cc +++ b/gpt.cc @@ -952,7 +952,10 @@ int GPTData::LoadPartitionTable(const struct GPTHeader & header, DiskIO & disk, uint32_t sizeOfParts, newCRC; int retval; - if (disk.OpenForRead()) { + if (header.sizeOfPartitionEntries != sizeof(GPTPart)) { + cerr << "Error! GPT header contains invalid partition entry size!\n"; + retval = 0; + } else if (disk.OpenForRead()) { if (sector == 0) { retval = disk.Seek(header.partitionEntriesLBA); } else { -- cgit v1.2.3