|
|
b1bcb2 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
b1bcb2 |
From: Daniel Axtens <dja@axtens.net>
|
|
|
b1bcb2 |
Date: Mon, 18 Jan 2021 14:57:17 +1100
|
|
|
b1bcb2 |
Subject: [PATCH] fs/jfs: Limit the extents that getblk() can consider
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
getblk() implicitly trusts that treehead->count is an accurate count of
|
|
|
b1bcb2 |
the number of extents. However, that value is read from disk and is not
|
|
|
b1bcb2 |
trustworthy, leading to OOB reads and crashes. I am not sure to what
|
|
|
b1bcb2 |
extent the data read from OOB can influence subsequent program execution.
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
Require callers to pass in the maximum number of extents for which
|
|
|
b1bcb2 |
they have storage.
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
|
b1bcb2 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
b1bcb2 |
---
|
|
|
b1bcb2 |
grub-core/fs/jfs.c | 8 +++++---
|
|
|
b1bcb2 |
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
|
|
|
b1bcb2 |
index 1819899bdec..6e81f37da6c 100644
|
|
|
b1bcb2 |
--- a/grub-core/fs/jfs.c
|
|
|
b1bcb2 |
+++ b/grub-core/fs/jfs.c
|
|
|
b1bcb2 |
@@ -261,13 +261,15 @@ static grub_err_t grub_jfs_lookup_symlink (struct grub_jfs_data *data, grub_uint
|
|
|
b1bcb2 |
static grub_int64_t
|
|
|
b1bcb2 |
getblk (struct grub_jfs_treehead *treehead,
|
|
|
b1bcb2 |
struct grub_jfs_tree_extent *extents,
|
|
|
b1bcb2 |
+ int max_extents,
|
|
|
b1bcb2 |
struct grub_jfs_data *data,
|
|
|
b1bcb2 |
grub_uint64_t blk)
|
|
|
b1bcb2 |
{
|
|
|
b1bcb2 |
int found = -1;
|
|
|
b1bcb2 |
int i;
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
- for (i = 0; i < grub_le_to_cpu16 (treehead->count) - 2; i++)
|
|
|
b1bcb2 |
+ for (i = 0; i < grub_le_to_cpu16 (treehead->count) - 2 &&
|
|
|
b1bcb2 |
+ i < max_extents; i++)
|
|
|
b1bcb2 |
{
|
|
|
b1bcb2 |
if (treehead->flags & GRUB_JFS_TREE_LEAF)
|
|
|
b1bcb2 |
{
|
|
|
b1bcb2 |
@@ -302,7 +304,7 @@ getblk (struct grub_jfs_treehead *treehead,
|
|
|
b1bcb2 |
<< (grub_le_to_cpu16 (data->sblock.log2_blksz)
|
|
|
b1bcb2 |
- GRUB_DISK_SECTOR_BITS), 0,
|
|
|
b1bcb2 |
sizeof (*tree), (char *) tree))
|
|
|
b1bcb2 |
- ret = getblk (&tree->treehead, &tree->extents[0], data, blk);
|
|
|
b1bcb2 |
+ ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
|
|
|
b1bcb2 |
grub_free (tree);
|
|
|
b1bcb2 |
return ret;
|
|
|
b1bcb2 |
}
|
|
|
b1bcb2 |
@@ -316,7 +318,7 @@ static grub_int64_t
|
|
|
b1bcb2 |
grub_jfs_blkno (struct grub_jfs_data *data, struct grub_jfs_inode *inode,
|
|
|
b1bcb2 |
grub_uint64_t blk)
|
|
|
b1bcb2 |
{
|
|
|
b1bcb2 |
- return getblk (&inode->file.tree, &inode->file.extents[0], data, blk);
|
|
|
b1bcb2 |
+ return getblk (&inode->file.tree, &inode->file.extents[0], 16, data, blk);
|
|
|
b1bcb2 |
}
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
|