Blame SOURCES/0444-fs-jfs-Limit-the-extents-that-getblk-can-consider.patch

9723a8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
9723a8
From: Daniel Axtens <dja@axtens.net>
9723a8
Date: Mon, 18 Jan 2021 14:57:17 +1100
9723a8
Subject: [PATCH] fs/jfs: Limit the extents that getblk() can consider
9723a8
9723a8
getblk() implicitly trusts that treehead->count is an accurate count of
9723a8
the number of extents. However, that value is read from disk and is not
9723a8
trustworthy, leading to OOB reads and crashes. I am not sure to what
9723a8
extent the data read from OOB can influence subsequent program execution.
9723a8
9723a8
Require callers to pass in the maximum number of extents for which
9723a8
they have storage.
9723a8
9723a8
Signed-off-by: Daniel Axtens <dja@axtens.net>
9723a8
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
9723a8
---
9723a8
 grub-core/fs/jfs.c | 8 +++++---
9723a8
 1 file changed, 5 insertions(+), 3 deletions(-)
9723a8
9723a8
diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
b71686
index 1819899bd..6e81f37da 100644
9723a8
--- a/grub-core/fs/jfs.c
9723a8
+++ b/grub-core/fs/jfs.c
9723a8
@@ -261,13 +261,15 @@ static grub_err_t grub_jfs_lookup_symlink (struct grub_jfs_data *data, grub_uint
9723a8
 static grub_int64_t
9723a8
 getblk (struct grub_jfs_treehead *treehead,
9723a8
 	struct grub_jfs_tree_extent *extents,
9723a8
+	int max_extents,
9723a8
 	struct grub_jfs_data *data,
9723a8
 	grub_uint64_t blk)
9723a8
 {
9723a8
   int found = -1;
9723a8
   int i;
9723a8
 
9723a8
-  for (i = 0; i < grub_le_to_cpu16 (treehead->count) - 2; i++)
9723a8
+  for (i = 0; i < grub_le_to_cpu16 (treehead->count) - 2 &&
9723a8
+	      i < max_extents; i++)
9723a8
     {
9723a8
       if (treehead->flags & GRUB_JFS_TREE_LEAF)
9723a8
 	{
9723a8
@@ -302,7 +304,7 @@ getblk (struct grub_jfs_treehead *treehead,
9723a8
 			   << (grub_le_to_cpu16 (data->sblock.log2_blksz)
9723a8
 			       - GRUB_DISK_SECTOR_BITS), 0,
9723a8
 			   sizeof (*tree), (char *) tree))
9723a8
-	ret = getblk (&tree->treehead, &tree->extents[0], data, blk);
9723a8
+	ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
9723a8
       grub_free (tree);
9723a8
       return ret;
9723a8
     }
9723a8
@@ -316,7 +318,7 @@ static grub_int64_t
9723a8
 grub_jfs_blkno (struct grub_jfs_data *data, struct grub_jfs_inode *inode,
9723a8
 		grub_uint64_t blk)
9723a8
 {
9723a8
-  return getblk (&inode->file.tree, &inode->file.extents[0], data, blk);
9723a8
+  return getblk (&inode->file.tree, &inode->file.extents[0], 16, data, blk);
9723a8
 }
9723a8
 
9723a8