|
 |
b35c50 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
b35c50 |
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
|
|
|
b35c50 |
Date: Wed, 6 Apr 2022 18:49:09 +0530
|
|
|
b35c50 |
Subject: [PATCH] fs/f2fs: Do not read past the end of nat bitmap
|
|
|
b35c50 |
|
|
|
b35c50 |
A corrupt f2fs filesystem could have a block offset or a bitmap
|
|
|
b35c50 |
offset that would cause us to read beyond the bounds of the nat
|
|
|
b35c50 |
bitmap.
|
|
|
b35c50 |
|
|
|
b35c50 |
Introduce the nat_bitmap_size member in grub_f2fs_data which holds
|
|
|
b35c50 |
the size of nat bitmap.
|
|
|
b35c50 |
|
|
|
b35c50 |
Set the size when loading the nat bitmap in nat_bitmap_ptr(), and
|
|
|
b35c50 |
catch when an invalid offset would create a pointer past the end of
|
|
|
b35c50 |
the allocated space.
|
|
|
b35c50 |
|
|
|
b35c50 |
Check against the bitmap size in grub_f2fs_test_bit() test bit to avoid
|
|
|
b35c50 |
reading past the end of the nat bitmap.
|
|
|
b35c50 |
|
|
|
b35c50 |
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
|
|
|
b35c50 |
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
|
b35c50 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
b35c50 |
(cherry picked from commit 62d63d5e38c67a6e349148bf7cb87c560e935a7e)
|
|
|
b35c50 |
---
|
|
|
b35c50 |
grub-core/fs/f2fs.c | 33 +++++++++++++++++++++++++++------
|
|
|
b35c50 |
1 file changed, 27 insertions(+), 6 deletions(-)
|
|
|
b35c50 |
|
|
|
b35c50 |
diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c
|
|
|
b35c50 |
index 63702214b0..8898b235e0 100644
|
|
|
b35c50 |
--- a/grub-core/fs/f2fs.c
|
|
|
b35c50 |
+++ b/grub-core/fs/f2fs.c
|
|
|
b35c50 |
@@ -122,6 +122,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
b35c50 |
#define F2FS_INLINE_DOTS 0x10 /* File having implicit dot dentries. */
|
|
|
b35c50 |
|
|
|
b35c50 |
#define MAX_VOLUME_NAME 512
|
|
|
b35c50 |
+#define MAX_NAT_BITMAP_SIZE 3900
|
|
|
b35c50 |
|
|
|
b35c50 |
enum FILE_TYPE
|
|
|
b35c50 |
{
|
|
|
b35c50 |
@@ -183,7 +184,7 @@ struct grub_f2fs_checkpoint
|
|
|
b35c50 |
grub_uint32_t checksum_offset;
|
|
|
b35c50 |
grub_uint64_t elapsed_time;
|
|
|
b35c50 |
grub_uint8_t alloc_type[MAX_ACTIVE_LOGS];
|
|
|
b35c50 |
- grub_uint8_t sit_nat_version_bitmap[3900];
|
|
|
b35c50 |
+ grub_uint8_t sit_nat_version_bitmap[MAX_NAT_BITMAP_SIZE];
|
|
|
b35c50 |
grub_uint32_t checksum;
|
|
|
b35c50 |
} GRUB_PACKED;
|
|
|
b35c50 |
|
|
|
b35c50 |
@@ -302,6 +303,7 @@ struct grub_f2fs_data
|
|
|
b35c50 |
|
|
|
b35c50 |
struct grub_f2fs_nat_journal nat_j;
|
|
|
b35c50 |
char *nat_bitmap;
|
|
|
b35c50 |
+ grub_uint32_t nat_bitmap_size;
|
|
|
b35c50 |
|
|
|
b35c50 |
grub_disk_t disk;
|
|
|
b35c50 |
struct grub_f2fs_node *inode;
|
|
|
b35c50 |
@@ -377,15 +379,20 @@ sum_blk_addr (struct grub_f2fs_data *data, int base, int type)
|
|
|
b35c50 |
}
|
|
|
b35c50 |
|
|
|
b35c50 |
static void *
|
|
|
b35c50 |
-nat_bitmap_ptr (struct grub_f2fs_data *data)
|
|
|
b35c50 |
+nat_bitmap_ptr (struct grub_f2fs_data *data, grub_uint32_t *nat_bitmap_size)
|
|
|
b35c50 |
{
|
|
|
b35c50 |
struct grub_f2fs_checkpoint *ckpt = &data->ckpt;
|
|
|
b35c50 |
grub_uint32_t offset;
|
|
|
b35c50 |
+ *nat_bitmap_size = MAX_NAT_BITMAP_SIZE;
|
|
|
b35c50 |
|
|
|
b35c50 |
if (grub_le_to_cpu32 (data->sblock.cp_payload) > 0)
|
|
|
b35c50 |
return ckpt->sit_nat_version_bitmap;
|
|
|
b35c50 |
|
|
|
b35c50 |
offset = grub_le_to_cpu32 (ckpt->sit_ver_bitmap_bytesize);
|
|
|
b35c50 |
+ if (offset >= MAX_NAT_BITMAP_SIZE)
|
|
|
b35c50 |
+ return NULL;
|
|
|
b35c50 |
+
|
|
|
b35c50 |
+ *nat_bitmap_size = *nat_bitmap_size - offset;
|
|
|
b35c50 |
|
|
|
b35c50 |
return ckpt->sit_nat_version_bitmap + offset;
|
|
|
b35c50 |
}
|
|
|
b35c50 |
@@ -438,11 +445,15 @@ grub_f2fs_crc_valid (grub_uint32_t blk_crc, void *buf, const grub_uint32_t len)
|
|
|
b35c50 |
}
|
|
|
b35c50 |
|
|
|
b35c50 |
static int
|
|
|
b35c50 |
-grub_f2fs_test_bit (grub_uint32_t nr, const char *p)
|
|
|
b35c50 |
+grub_f2fs_test_bit (grub_uint32_t nr, const char *p, grub_uint32_t len)
|
|
|
b35c50 |
{
|
|
|
b35c50 |
int mask;
|
|
|
b35c50 |
+ grub_uint32_t shifted_nr = (nr >> 3);
|
|
|
b35c50 |
|
|
|
b35c50 |
- p += (nr >> 3);
|
|
|
b35c50 |
+ if (shifted_nr >= len)
|
|
|
b35c50 |
+ return -1;
|
|
|
b35c50 |
+
|
|
|
b35c50 |
+ p += shifted_nr;
|
|
|
b35c50 |
mask = 1 << (7 - (nr & 0x07));
|
|
|
b35c50 |
|
|
|
b35c50 |
return mask & *p;
|
|
|
b35c50 |
@@ -662,6 +673,7 @@ get_node_blkaddr (struct grub_f2fs_data *data, grub_uint32_t nid)
|
|
|
b35c50 |
grub_uint32_t seg_off, block_off, entry_off, block_addr;
|
|
|
b35c50 |
grub_uint32_t blkaddr = 0;
|
|
|
b35c50 |
grub_err_t err;
|
|
|
b35c50 |
+ int result_bit;
|
|
|
b35c50 |
|
|
|
b35c50 |
err = get_blkaddr_from_nat_journal (data, nid, &blkaddr);
|
|
|
b35c50 |
if (err != GRUB_ERR_NONE)
|
|
|
b35c50 |
@@ -682,8 +694,15 @@ get_node_blkaddr (struct grub_f2fs_data *data, grub_uint32_t nid)
|
|
|
b35c50 |
((seg_off * data->blocks_per_seg) << 1) +
|
|
|
b35c50 |
(block_off & (data->blocks_per_seg - 1));
|
|
|
b35c50 |
|
|
|
b35c50 |
- if (grub_f2fs_test_bit (block_off, data->nat_bitmap))
|
|
|
b35c50 |
+ result_bit = grub_f2fs_test_bit (block_off, data->nat_bitmap,
|
|
|
b35c50 |
+ data->nat_bitmap_size);
|
|
|
b35c50 |
+ if (result_bit > 0)
|
|
|
b35c50 |
block_addr += data->blocks_per_seg;
|
|
|
b35c50 |
+ else if (result_bit == -1)
|
|
|
b35c50 |
+ {
|
|
|
b35c50 |
+ grub_free (nat_block);
|
|
|
b35c50 |
+ return 0;
|
|
|
b35c50 |
+ }
|
|
|
b35c50 |
|
|
|
b35c50 |
err = grub_f2fs_block_read (data, block_addr, nat_block);
|
|
|
b35c50 |
if (err)
|
|
|
b35c50 |
@@ -833,7 +852,9 @@ grub_f2fs_mount (grub_disk_t disk)
|
|
|
b35c50 |
if (err)
|
|
|
b35c50 |
goto fail;
|
|
|
b35c50 |
|
|
|
b35c50 |
- data->nat_bitmap = nat_bitmap_ptr (data);
|
|
|
b35c50 |
+ data->nat_bitmap = nat_bitmap_ptr (data, &data->nat_bitmap_size);
|
|
|
b35c50 |
+ if (data->nat_bitmap == NULL)
|
|
|
b35c50 |
+ goto fail;
|
|
|
b35c50 |
|
|
|
b35c50 |
err = get_nat_journal (data);
|
|
|
b35c50 |
if (err)
|