|
 |
b1bcb2 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
b1bcb2 |
From: Daniel Axtens <dja@axtens.net>
|
|
|
b1bcb2 |
Date: Mon, 18 Jan 2021 16:49:09 +1100
|
|
|
b1bcb2 |
Subject: [PATCH] fs/nilfs2: Reject too-large keys
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
NILFS2 has up to 7 keys, per the data structure. Do not permit array
|
|
|
b1bcb2 |
indices in excess of that.
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
This catches some OOB reads. I don't know how controllable the invalidly
|
|
|
b1bcb2 |
read data is or if that could be used later in the program.
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
|
b1bcb2 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
b1bcb2 |
---
|
|
|
b1bcb2 |
grub-core/fs/nilfs2.c | 7 ++++++-
|
|
|
b1bcb2 |
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c
|
|
|
b1bcb2 |
index 388ee188edc..09e89f615bc 100644
|
|
|
b1bcb2 |
--- a/grub-core/fs/nilfs2.c
|
|
|
b1bcb2 |
+++ b/grub-core/fs/nilfs2.c
|
|
|
b1bcb2 |
@@ -569,6 +569,11 @@ grub_nilfs2_btree_lookup (struct grub_nilfs2_data *data,
|
|
|
b1bcb2 |
static inline grub_uint64_t
|
|
|
b1bcb2 |
grub_nilfs2_direct_lookup (struct grub_nilfs2_inode *inode, grub_uint64_t key)
|
|
|
b1bcb2 |
{
|
|
|
b1bcb2 |
+ if (1 + key > 6)
|
|
|
b1bcb2 |
+ {
|
|
|
b1bcb2 |
+ grub_error (GRUB_ERR_BAD_FS, "key is too large");
|
|
|
b1bcb2 |
+ return 0xffffffffffffffff;
|
|
|
b1bcb2 |
+ }
|
|
|
b1bcb2 |
return grub_le_to_cpu64 (inode->i_bmap[1 + key]);
|
|
|
b1bcb2 |
}
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
@@ -584,7 +589,7 @@ grub_nilfs2_bmap_lookup (struct grub_nilfs2_data *data,
|
|
|
b1bcb2 |
{
|
|
|
b1bcb2 |
grub_uint64_t ptr;
|
|
|
b1bcb2 |
ptr = grub_nilfs2_direct_lookup (inode, key);
|
|
|
b1bcb2 |
- if (need_translate)
|
|
|
b1bcb2 |
+ if (ptr != ((grub_uint64_t) 0xffffffffffffffff) && need_translate)
|
|
|
b1bcb2 |
ptr = grub_nilfs2_dat_translate (data, ptr);
|
|
|
b1bcb2 |
return ptr;
|
|
|
b1bcb2 |
}
|