Blame SOURCES/0406-fs-jfs-Do-not-move-to-leaf-level-if-name-length-is-n.patch

b1bcb2
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b1bcb2
From: Daniel Axtens <dja@axtens.net>
b1bcb2
Date: Mon, 18 Jan 2021 14:51:11 +1100
b1bcb2
Subject: [PATCH] fs/jfs: Do not move to leaf level if name length is negative
b1bcb2
b1bcb2
Fuzzing JFS revealed crashes where a negative number would be passed
b1bcb2
to le_to_cpu16_copy(). There it would be cast to a large positive number
b1bcb2
and the copy would read and write off the end of the respective buffers.
b1bcb2
b1bcb2
Catch this at the top as well as the bottom of the loop.
b1bcb2
b1bcb2
Signed-off-by: Daniel Axtens <dja@axtens.net>
b1bcb2
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b1bcb2
---
b1bcb2
 grub-core/fs/jfs.c | 2 +-
b1bcb2
 1 file changed, 1 insertion(+), 1 deletion(-)
b1bcb2
b1bcb2
diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
b1bcb2
index aab3e8c7b7d..1819899bdec 100644
b1bcb2
--- a/grub-core/fs/jfs.c
b1bcb2
+++ b/grub-core/fs/jfs.c
b1bcb2
@@ -563,7 +563,7 @@ grub_jfs_getent (struct grub_jfs_diropen *diro)
b1bcb2
 
b1bcb2
   /* Move down to the leaf level.  */
b1bcb2
   nextent = leaf->next;
b1bcb2
-  if (leaf->next != 255)
b1bcb2
+  if (leaf->next != 255 && len > 0)
b1bcb2
     do
b1bcb2
       {
b1bcb2
  	next_leaf = &diro->next_leaf[nextent];