Blame SOURCES/0442-fs-sfs-Fix-over-read-of-root-object-name.patch

9723a8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
9723a8
From: Daniel Axtens <dja@axtens.net>
9723a8
Date: Mon, 18 Jan 2021 14:34:58 +1100
9723a8
Subject: [PATCH] fs/sfs: Fix over-read of root object name
9723a8
9723a8
There's a read of the name of the root object that assumes that the name
9723a8
is nul-terminated within the root block. This isn't guaranteed - it seems
9723a8
SFS would require you to read multiple blocks to get a full name in general,
9723a8
but maybe that doesn't apply to the root object.
9723a8
9723a8
Either way, figure out how much space is left in the root block and don't
9723a8
over-read it. This fixes some OOB reads.
9723a8
9723a8
Signed-off-by: Daniel Axtens <dja@axtens.net>
9723a8
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
9723a8
---
9723a8
 grub-core/fs/sfs.c | 9 ++++++++-
9723a8
 1 file changed, 8 insertions(+), 1 deletion(-)
9723a8
9723a8
diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
9723a8
index 3ddc6b5e287..61d6c303cb3 100644
9723a8
--- a/grub-core/fs/sfs.c
9723a8
+++ b/grub-core/fs/sfs.c
9723a8
@@ -373,6 +373,7 @@ grub_sfs_mount (grub_disk_t disk)
9723a8
   struct grub_sfs_objc *rootobjc;
9723a8
   char *rootobjc_data = 0;
9723a8
   grub_uint32_t blk;
9723a8
+  unsigned int max_len;
9723a8
 
9723a8
   data = grub_malloc (sizeof (*data));
9723a8
   if (!data)
9723a8
@@ -421,7 +422,13 @@ grub_sfs_mount (grub_disk_t disk)
9723a8
   data->diropen.data = data;
9723a8
   data->diropen.cache = 0;
9723a8
   data->disk = disk;
9723a8
-  data->label = grub_strdup ((char *) (rootobjc->objects[0].filename));
9723a8
+
9723a8
+  /* We only read 1 block of data, so truncate the name if needed. */
9723a8
+  max_len = ((GRUB_DISK_SECTOR_SIZE << data->log_blocksize)
9723a8
+	     - 24    /* offsetof (struct grub_sfs_objc, objects) */
9723a8
+	     - 25);  /* offsetof (struct grub_sfs_obj, filename) */
9723a8
+  data->label = grub_zalloc (max_len + 1);
9723a8
+  grub_strncpy (data->label, (char *) rootobjc->objects[0].filename, max_len);
9723a8
 
9723a8
   grub_free (rootobjc_data);
9723a8
   return data;