Blame SOURCES/0443-fs-jfs-Do-not-move-to-leaf-level-if-name-length-is-n.patch

9723a8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
9723a8
From: Daniel Axtens <dja@axtens.net>
9723a8
Date: Mon, 18 Jan 2021 14:51:11 +1100
9723a8
Subject: [PATCH] fs/jfs: Do not move to leaf level if name length is negative
9723a8
9723a8
Fuzzing JFS revealed crashes where a negative number would be passed
9723a8
to le_to_cpu16_copy(). There it would be cast to a large positive number
9723a8
and the copy would read and write off the end of the respective buffers.
9723a8
9723a8
Catch this at the top as well as the bottom of the loop.
9723a8
9723a8
Signed-off-by: Daniel Axtens <dja@axtens.net>
9723a8
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
9723a8
---
9723a8
 grub-core/fs/jfs.c | 2 +-
9723a8
 1 file changed, 1 insertion(+), 1 deletion(-)
9723a8
9723a8
diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
b71686
index aab3e8c7b..1819899bd 100644
9723a8
--- a/grub-core/fs/jfs.c
9723a8
+++ b/grub-core/fs/jfs.c
9723a8
@@ -563,7 +563,7 @@ grub_jfs_getent (struct grub_jfs_diropen *diro)
9723a8
 
9723a8
   /* Move down to the leaf level.  */
9723a8
   nextent = leaf->next;
9723a8
-  if (leaf->next != 255)
9723a8
+  if (leaf->next != 255 && len > 0)
9723a8
     do
9723a8
       {
9723a8
  	next_leaf = &diro->next_leaf[nextent];