netbsd-bugs: kern/34026: invalid data could cause kernel panic in src/sys/dev/dkwedge/dkwedge

Subject: kern/34026: invalid data could cause kernel panic in src/sys/dev/dkwedge/dkwedge_gpt.c
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <jakllsch@kollasch.net>
List: netbsd-bugs
Date: 07/18/2006 02:55:00

>Number:         34026
>Category:       kern
>Synopsis:       invalid data could cause kernel panic in src/sys/dev/dkwedge/dkwedge_gpt.c
>Confidential:   no
>Severity:       critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jul 18 02:55:00 +0000 2006
>Originator:     Jonathan A. Kollasch
>Release:        NetBSD 3.0
>Organization:
>Environment:
System: NetBSD kirkkit.kollasch.net 3.0 NetBSD 3.0 (KIRKKIT) #1: Sat Jul 1 19:22:44 CDT 2006 root@kirkkit.kollasch.net:/usr/src/sys/arch/i386/compile/KIRKKIT i386
Architecture: i386
Machine: i386
>Description:
In gpt_verify_header_crc() if hdr->hdr_size is larger than the size of the buffer
hdr is in an in-kernel segmentation fault could occur.  Just plugging in a umass(4)
with specially crafted data could cause this to happen.
>How-To-Repeat:
Put a number greater than 512 in the hdr_size element of the on-disk header,
attach disk to kernel.
>Fix:
Don't check the CRC if the length is obviously bogus.