[src/trunk]: src/sys/arch/i386/stand/lib Fix buffer overflow in BIOS disk geo...

[manu <manu%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/09a49a0d37f1
branches:  trunk
changeset: 458570:09a49a0d37f1
user:      manu <manu%NetBSD.org@localhost>
date:      Thu Aug 01 13:11:03 2019 +0000

description:
Fix buffer overflow in BIOS disk geometry collect for bootinfo

This spares a boot-time panic on iMac with fusion drive, which
feature both a hard drive and a solid-state drive.

diffstat:

 sys/arch/i386/stand/lib/bootinfo_biosgeom.c |  13 ++++++++-----
 1 files changed, 8 insertions(+), 5 deletions(-)

diffs (39 lines):

diff -r b4879127e2ca -r 09a49a0d37f1 sys/arch/i386/stand/lib/bootinfo_biosgeom.c
--- a/sys/arch/i386/stand/lib/bootinfo_biosgeom.c       Thu Aug 01 12:28:53 2019 +0000
+++ b/sys/arch/i386/stand/lib/bootinfo_biosgeom.c       Thu Aug 01 13:11:03 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: bootinfo_biosgeom.c,v 1.23 2017/01/24 11:09:14 nonaka Exp $    */
+/*     $NetBSD: bootinfo_biosgeom.c,v 1.24 2019/08/01 13:11:03 manu Exp $      */
 
 /*
  * Copyright (c) 1997
@@ -60,6 +60,7 @@
 bi_getbiosgeom(void)
 {
        struct btinfo_biosgeom *bibg;
+       size_t bibg_len = sizeof(*bibg);
        int i, j, nvalid;
        int nhd;
        unsigned int cksum;
@@ -72,8 +73,8 @@
        printf("nhd %d\n", nhd);
 #endif
 
-       bibg = alloc(sizeof(struct btinfo_biosgeom)
-                    + (nhd - 1) * sizeof(struct bi_biosgeom_entry));
+       bibg_len += nhd * sizeof(struct bi_biosgeom_entry); 
+       bibg = alloc(bibg_len);
        if (bibg == NULL)
                return;
 
@@ -175,6 +176,8 @@
 
        bibg->num = nvalid;
 
-       BI_ADD(bibg, BTINFO_BIOSGEOM, sizeof(struct btinfo_biosgeom)
-              + nvalid * sizeof(struct bi_biosgeom_entry));
+       if (nvalid < nhd)
+               bibg_len -= (nhd - nvalid) * sizeof(struct bi_biosgeom_entry);
+
+       BI_ADD(bibg, BTINFO_BIOSGEOM, bibg_len);
 }