rpms / grub2

Clone
Source Code
GIT

Blame SOURCES/0443-fs-jfs-Do-not-move-to-leaf-level-if-name-length-is-n.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-i686 c8 c8-beta c8s c9 c9-beta
  1.   468bd46927bd2582abe195405d977f29f6277f07
  2.   SOURCES
  3.   0443-fs-jfs-Do-not-move-to-leaf-level-if-name-length-is-n.patch
Blob History Raw
468bd4 
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
468bd4 
From: Daniel Axtens <dja@axtens.net>
468bd4 
Date: Mon, 18 Jan 2021 14:51:11 +1100
468bd4 
Subject: [PATCH] fs/jfs: Do not move to leaf level if name length is negative
468bd4
468bd4 
Fuzzing JFS revealed crashes where a negative number would be passed
468bd4 
to le_to_cpu16_copy(). There it would be cast to a large positive number
468bd4 
and the copy would read and write off the end of the respective buffers.
468bd4
468bd4 
Catch this at the top as well as the bottom of the loop.
468bd4
468bd4 
Signed-off-by: Daniel Axtens <dja@axtens.net>
468bd4 
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
468bd4 
---
468bd4 
 grub-core/fs/jfs.c | 2 +-
468bd4 
 1 file changed, 1 insertion(+), 1 deletion(-)
468bd4
468bd4 
diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
468bd4 
index aab3e8c7b7d..1819899bdec 100644
468bd4 
--- a/grub-core/fs/jfs.c
468bd4 
+++ b/grub-core/fs/jfs.c
468bd4 
@@ -563,7 +563,7 @@ grub_jfs_getent (struct grub_jfs_diropen *diro)
468bd4
468bd4 
   /* Move down to the leaf level.  */
468bd4 
   nextent = leaf->next;
468bd4 
-  if (leaf->next != 255)
468bd4 
+  if (leaf->next != 255 && len > 0)
468bd4 
     do
468bd4 
       {
468bd4 
  	next_leaf = &diro->next_leaf[nextent];

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation