From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Daniel Axtens <dja@axtens.net>

Date: Mon, 18 Jan 2021 14:34:58 +1100

Subject: [PATCH] fs/sfs: Fix over-read of root object name

There's a read of the name of the root object that assumes that the name

is nul-terminated within the root block. This isn't guaranteed - it seems

SFS would require you to read multiple blocks to get a full name in general,

but maybe that doesn't apply to the root object.

Either way, figure out how much space is left in the root block and don't

over-read it. This fixes some OOB reads.

Signed-off-by: Daniel Axtens <dja@axtens.net>

Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

---

 grub-core/fs/sfs.c | 9 ++++++++-

 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c

index 3ddc6b5e2..61d6c303c 100644

--- a/grub-core/fs/sfs.c

+++ b/grub-core/fs/sfs.c

@@ -373,6 +373,7 @@ grub_sfs_mount (grub_disk_t disk)

   struct grub_sfs_objc *rootobjc;

   char *rootobjc_data = 0;

   grub_uint32_t blk;

+  unsigned int max_len;

   data = grub_malloc (sizeof (*data));

   if (!data)

@@ -421,7 +422,13 @@ grub_sfs_mount (grub_disk_t disk)

   data->diropen.data = data;

   data->diropen.cache = 0;

   data->disk = disk;

-  data->label = grub_strdup ((char *) (rootobjc->objects[0].filename));

+

+  /* We only read 1 block of data, so truncate the name if needed. */

+  max_len = ((GRUB_DISK_SECTOR_SIZE << data->log_blocksize)

+	     - 24    /* offsetof (struct grub_sfs_objc, objects) */

+	     - 25);  /* offsetof (struct grub_sfs_obj, filename) */

+  data->label = grub_zalloc (max_len + 1);

+  grub_strncpy (data->label, (char *) rootobjc->objects[0].filename, max_len);

   grub_free (rootobjc_data);

   return data;