dcavalca / rpms / grub2

Forked from rpms/grub2 3 years ago
Clone
9723a8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
9723a8
From: Daniel Axtens <dja@axtens.net>
9723a8
Date: Mon, 18 Jan 2021 15:47:24 +1100
9723a8
Subject: [PATCH] fs/jfs: Catch infinite recursion
9723a8
9723a8
It's possible with a fuzzed filesystem for JFS to keep getblk()-ing
9723a8
the same data over and over again, leading to stack exhaustion.
9723a8
9723a8
Check if we'd be calling the function with exactly the same data as
9723a8
was passed in, and if so abort.
9723a8
9723a8
I'm not sure what the performance impact of this is and am open to
9723a8
better ideas.
9723a8
9723a8
Signed-off-by: Daniel Axtens <dja@axtens.net>
9723a8
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
9723a8
---
9723a8
 grub-core/fs/jfs.c | 11 ++++++++++-
9723a8
 1 file changed, 10 insertions(+), 1 deletion(-)
9723a8
9723a8
diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
9723a8
index 6e81f37da6c..20d966abfc0 100644
9723a8
--- a/grub-core/fs/jfs.c
9723a8
+++ b/grub-core/fs/jfs.c
9723a8
@@ -304,7 +304,16 @@ getblk (struct grub_jfs_treehead *treehead,
9723a8
 			   << (grub_le_to_cpu16 (data->sblock.log2_blksz)
9723a8
 			       - GRUB_DISK_SECTOR_BITS), 0,
9723a8
 			   sizeof (*tree), (char *) tree))
9723a8
-	ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
9723a8
+	{
9723a8
+	  if (grub_memcmp (&tree->treehead, treehead, sizeof (struct grub_jfs_treehead)) ||
9723a8
+	      grub_memcmp (&tree->extents, extents, 254 * sizeof (struct grub_jfs_tree_extent)))
9723a8
+	    ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
9723a8
+	  else
9723a8
+	    {
9723a8
+	      grub_error (GRUB_ERR_BAD_FS, "jfs: infinite recursion detected");
9723a8
+	      ret = -1;
9723a8
+	    }
9723a8
+	}
9723a8
       grub_free (tree);
9723a8
       return ret;
9723a8
     }