Blame SOURCES/0443-fs-jfs-Do-not-move-to-leaf-level-if-name-length-is-n.patch

80913e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
80913e
From: Daniel Axtens <dja@axtens.net>
80913e
Date: Mon, 18 Jan 2021 14:51:11 +1100
80913e
Subject: [PATCH] fs/jfs: Do not move to leaf level if name length is negative
80913e
80913e
Fuzzing JFS revealed crashes where a negative number would be passed
80913e
to le_to_cpu16_copy(). There it would be cast to a large positive number
80913e
and the copy would read and write off the end of the respective buffers.
80913e
80913e
Catch this at the top as well as the bottom of the loop.
80913e
80913e
Signed-off-by: Daniel Axtens <dja@axtens.net>
80913e
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
80913e
---
80913e
 grub-core/fs/jfs.c | 2 +-
80913e
 1 file changed, 1 insertion(+), 1 deletion(-)
80913e
80913e
diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
80913e
index aab3e8c7b7d..1819899bdec 100644
80913e
--- a/grub-core/fs/jfs.c
80913e
+++ b/grub-core/fs/jfs.c
80913e
@@ -563,7 +563,7 @@ grub_jfs_getent (struct grub_jfs_diropen *diro)
80913e
 
80913e
   /* Move down to the leaf level.  */
80913e
   nextent = leaf->next;
80913e
-  if (leaf->next != 255)
80913e
+  if (leaf->next != 255 && len > 0)
80913e
     do
80913e
       {
80913e
  	next_leaf = &diro->next_leaf[nextent];