|
 |
e28c09 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
e28c09 |
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
|
|
|
e28c09 |
Date: Wed, 6 Apr 2022 18:17:43 +0530
|
|
|
e28c09 |
Subject: [PATCH] fs/f2fs: Do not copy file names that are too long
|
|
|
e28c09 |
|
|
|
e28c09 |
A corrupt f2fs file system might specify a name length which is greater
|
|
|
e28c09 |
than the maximum name length supported by the GRUB f2fs driver.
|
|
|
e28c09 |
|
|
|
e28c09 |
We will allocate enough memory to store the overly long name, but there
|
|
|
e28c09 |
are only F2FS_NAME_LEN bytes in the source, so we would read past the end
|
|
|
e28c09 |
of the source.
|
|
|
e28c09 |
|
|
|
e28c09 |
While checking directory entries, do not copy a file name with an invalid
|
|
|
e28c09 |
length.
|
|
|
e28c09 |
|
|
|
e28c09 |
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
|
|
|
e28c09 |
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
|
e28c09 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
e28c09 |
(cherry picked from commit 9a891f638509e031d322c94e3cbcf38d36f3993a)
|
|
|
e28c09 |
(cherry picked from commit 13f9160ae0d2806baed459884999356817096cd7)
|
|
|
e28c09 |
---
|
|
|
e28c09 |
grub-core/fs/f2fs.c | 4 ++++
|
|
|
e28c09 |
1 file changed, 4 insertions(+)
|
|
|
e28c09 |
|
|
|
e28c09 |
diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c
|
|
|
e28c09 |
index 8898b235e0..df6beb544c 100644
|
|
|
e28c09 |
--- a/grub-core/fs/f2fs.c
|
|
|
e28c09 |
+++ b/grub-core/fs/f2fs.c
|
|
|
e28c09 |
@@ -1003,6 +1003,10 @@ grub_f2fs_check_dentries (struct grub_f2fs_dir_iter_ctx *ctx)
|
|
|
e28c09 |
|
|
|
e28c09 |
ftype = ctx->dentry[i].file_type;
|
|
|
e28c09 |
name_len = grub_le_to_cpu16 (ctx->dentry[i].name_len);
|
|
|
e28c09 |
+
|
|
|
e28c09 |
+ if (name_len >= F2FS_NAME_LEN)
|
|
|
e28c09 |
+ return 0;
|
|
|
e28c09 |
+
|
|
|
e28c09 |
filename = grub_malloc (name_len + 1);
|
|
|
e28c09 |
if (!filename)
|
|
|
e28c09 |
return 0;
|