Security vuln in Satadriver: read/write past partition boundary.

[ANogin]

components/Sataserver/src/sataserver.c has the following code for read (and very similar for write):

        found = calulate_sector_offset(client, &offset, (uint32_t)sector);
        if (found) {
            err = sata_read_sectors(&sata_driver, drive, len / SATA_BLK_SIZE, sector + offset, packet);

where len is up to 4096, and sector is in SATA_BLK_SIZE units (typically, 512). This means that if sector points to a location within <8 blocks of the end of a partition, the read/write can go up to 3584 bytes past the end of partition, exposing up to 7 sectors at the beginning of the next partition, even if that partition is configured to be inaccessible to the Sataserver.

I fixed that bug while at HRL under DARPA HACMS contract; DARPA have subsequently released the code under distribution A. Attached patch was received directly from DARPA without any nondisclosure conditions 0002-Fixed-several-bugs-in-the-storage-driver.patch.

Note that there was an issue with this - it eliminates the limit in the buffer size for read/write. This did not cause issues with Ubuntu host, but did cause issues with CentOS hosts. A possible fix (which was not included in the DARPA-released code) is to support partial reads/writes.

[lsf37]

Hey @Furao -- is this relevant to your VM setup? Would you be able to have a look at it?