Blame SOURCES/0444-fs-jfs-Limit-the-extents-that-getblk-can-consider.patch

468bd4
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
468bd4
From: Daniel Axtens <dja@axtens.net>
468bd4
Date: Mon, 18 Jan 2021 14:57:17 +1100
468bd4
Subject: [PATCH] fs/jfs: Limit the extents that getblk() can consider
468bd4
468bd4
getblk() implicitly trusts that treehead->count is an accurate count of
468bd4
the number of extents. However, that value is read from disk and is not
468bd4
trustworthy, leading to OOB reads and crashes. I am not sure to what
468bd4
extent the data read from OOB can influence subsequent program execution.
468bd4
468bd4
Require callers to pass in the maximum number of extents for which
468bd4
they have storage.
468bd4
468bd4
Signed-off-by: Daniel Axtens <dja@axtens.net>
468bd4
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
468bd4
---
468bd4
 grub-core/fs/jfs.c | 8 +++++---
468bd4
 1 file changed, 5 insertions(+), 3 deletions(-)
468bd4
468bd4
diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
f6e916
index 1819899bd..6e81f37da 100644
468bd4
--- a/grub-core/fs/jfs.c
468bd4
+++ b/grub-core/fs/jfs.c
468bd4
@@ -261,13 +261,15 @@ static grub_err_t grub_jfs_lookup_symlink (struct grub_jfs_data *data, grub_uint
468bd4
 static grub_int64_t
468bd4
 getblk (struct grub_jfs_treehead *treehead,
468bd4
 	struct grub_jfs_tree_extent *extents,
468bd4
+	int max_extents,
468bd4
 	struct grub_jfs_data *data,
468bd4
 	grub_uint64_t blk)
468bd4
 {
468bd4
   int found = -1;
468bd4
   int i;
468bd4
 
468bd4
-  for (i = 0; i < grub_le_to_cpu16 (treehead->count) - 2; i++)
468bd4
+  for (i = 0; i < grub_le_to_cpu16 (treehead->count) - 2 &&
468bd4
+	      i < max_extents; i++)
468bd4
     {
468bd4
       if (treehead->flags & GRUB_JFS_TREE_LEAF)
468bd4
 	{
468bd4
@@ -302,7 +304,7 @@ getblk (struct grub_jfs_treehead *treehead,
468bd4
 			   << (grub_le_to_cpu16 (data->sblock.log2_blksz)
468bd4
 			       - GRUB_DISK_SECTOR_BITS), 0,
468bd4
 			   sizeof (*tree), (char *) tree))
468bd4
-	ret = getblk (&tree->treehead, &tree->extents[0], data, blk);
468bd4
+	ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
468bd4
       grub_free (tree);
468bd4
       return ret;
468bd4
     }
468bd4
@@ -316,7 +318,7 @@ static grub_int64_t
468bd4
 grub_jfs_blkno (struct grub_jfs_data *data, struct grub_jfs_inode *inode,
468bd4
 		grub_uint64_t blk)
468bd4
 {
468bd4
-  return getblk (&inode->file.tree, &inode->file.extents[0], data, blk);
468bd4
+  return getblk (&inode->file.tree, &inode->file.extents[0], 16, data, blk);
468bd4
 }
468bd4
 
468bd4