Blame SOURCES/0444-fs-jfs-Limit-the-extents-that-getblk-can-consider.patch

80913e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
80913e
From: Daniel Axtens <dja@axtens.net>
80913e
Date: Mon, 18 Jan 2021 14:57:17 +1100
80913e
Subject: [PATCH] fs/jfs: Limit the extents that getblk() can consider
80913e
80913e
getblk() implicitly trusts that treehead->count is an accurate count of
80913e
the number of extents. However, that value is read from disk and is not
80913e
trustworthy, leading to OOB reads and crashes. I am not sure to what
80913e
extent the data read from OOB can influence subsequent program execution.
80913e
80913e
Require callers to pass in the maximum number of extents for which
80913e
they have storage.
80913e
80913e
Signed-off-by: Daniel Axtens <dja@axtens.net>
80913e
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
80913e
---
80913e
 grub-core/fs/jfs.c | 8 +++++---
80913e
 1 file changed, 5 insertions(+), 3 deletions(-)
80913e
80913e
diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
b32e65
index 1819899bd..6e81f37da 100644
80913e
--- a/grub-core/fs/jfs.c
80913e
+++ b/grub-core/fs/jfs.c
80913e
@@ -261,13 +261,15 @@ static grub_err_t grub_jfs_lookup_symlink (struct grub_jfs_data *data, grub_uint
80913e
 static grub_int64_t
80913e
 getblk (struct grub_jfs_treehead *treehead,
80913e
 	struct grub_jfs_tree_extent *extents,
80913e
+	int max_extents,
80913e
 	struct grub_jfs_data *data,
80913e
 	grub_uint64_t blk)
80913e
 {
80913e
   int found = -1;
80913e
   int i;
80913e
 
80913e
-  for (i = 0; i < grub_le_to_cpu16 (treehead->count) - 2; i++)
80913e
+  for (i = 0; i < grub_le_to_cpu16 (treehead->count) - 2 &&
80913e
+	      i < max_extents; i++)
80913e
     {
80913e
       if (treehead->flags & GRUB_JFS_TREE_LEAF)
80913e
 	{
80913e
@@ -302,7 +304,7 @@ getblk (struct grub_jfs_treehead *treehead,
80913e
 			   << (grub_le_to_cpu16 (data->sblock.log2_blksz)
80913e
 			       - GRUB_DISK_SECTOR_BITS), 0,
80913e
 			   sizeof (*tree), (char *) tree))
80913e
-	ret = getblk (&tree->treehead, &tree->extents[0], data, blk);
80913e
+	ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
80913e
       grub_free (tree);
80913e
       return ret;
80913e
     }
80913e
@@ -316,7 +318,7 @@ static grub_int64_t
80913e
 grub_jfs_blkno (struct grub_jfs_data *data, struct grub_jfs_inode *inode,
80913e
 		grub_uint64_t blk)
80913e
 {
80913e
-  return getblk (&inode->file.tree, &inode->file.extents[0], data, blk);
80913e
+  return getblk (&inode->file.tree, &inode->file.extents[0], 16, data, blk);
80913e
 }
80913e
 
80913e