g_raid: Prevent tasters from attempting excessively large reads

Some g_raid tasters attempt metadata reads in multiples of the provider
sectorsize.  Reads larger than MAXPHYS are invalid, so detect and abort
in such situations.

Spiritually similar to r217305 / PR 147851.

PR:		214721
Sponsored by:	Dell EMC Isilon

2 files changed, 15 insertions, 0 deletions

diff --git a/sys/geom/raid/md_ddf.c b/sys/geom/raid/md_ddf.c
index df58a1e8da03..87da8feedf9f 100644
--- a/sys/geom/raid/md_ddf.c
+++ b/sys/geom/raid/md_ddf.c
@@ -1161,6 +1161,16 @@ hdrerror:
 		    (GET16(meta, hdr->Configuration_Record_Length) * ss - 512) / 12));
 	}
 
+	if (GET32(meta, hdr->cd_length) * ss >= MAXPHYS ||
+	    GET32(meta, hdr->pdr_length) * ss >= MAXPHYS ||
+	    GET32(meta, hdr->vdr_length) * ss >= MAXPHYS ||
+	    GET32(meta, hdr->cr_length) * ss >= MAXPHYS ||
+	    GET32(meta, hdr->pdd_length) * ss >= MAXPHYS ||
+	    GET32(meta, hdr->bbmlog_length) * ss >= MAXPHYS) {
+		G_RAID_DEBUG(1, "%s: Blocksize is too big.", pp->name);
+		goto hdrerror;
+	}
+
 	/* Read controller data. */
 	buf = g_read_data(cp, (lba + GET32(meta, hdr->cd_section)) * ss,
 	    GET32(meta, hdr->cd_length) * ss, &error);
diff --git a/sys/geom/raid/md_promise.c b/sys/geom/raid/md_promise.c
index 245cd74f7dbb..258b4d30ec19 100644
--- a/sys/geom/raid/md_promise.c
+++ b/sys/geom/raid/md_promise.c
@@ -341,6 +341,11 @@ promise_meta_read(struct g_consumer *cp, struct promise_raid_conf **metaarr)
 
 	pp = cp->provider;
 	subdisks = 0;
+
+	if (pp->sectorsize * 4 > MAXPHYS) {
+		G_RAID_DEBUG(1, "%s: Blocksize is too big.", pp->name);
+		return (subdisks);
+	}
 next:
 	/* Read metadata block. */
 	buf = g_read_data(cp, pp->mediasize - pp->sectorsize *