From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Daniel Axtens <dja@axtens.net>

Date: Mon, 18 Jan 2021 15:47:24 +1100

Subject: [PATCH] fs/jfs: Catch infinite recursion

It's possible with a fuzzed filesystem for JFS to keep getblk()-ing

the same data over and over again, leading to stack exhaustion.

Check if we'd be calling the function with exactly the same data as

was passed in, and if so abort.

I'm not sure what the performance impact of this is and am open to

better ideas.

Signed-off-by: Daniel Axtens <dja@axtens.net>

Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

---

 grub-core/fs/jfs.c | 11 ++++++++++-

 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c

index 6e81f37da..20d966abf 100644

--- a/grub-core/fs/jfs.c

+++ b/grub-core/fs/jfs.c

@@ -304,7 +304,16 @@ getblk (struct grub_jfs_treehead *treehead,

 			   << (grub_le_to_cpu16 (data->sblock.log2_blksz)

 			       - GRUB_DISK_SECTOR_BITS), 0,

 			   sizeof (*tree), (char *) tree))

-	ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);

+	{

+	  if (grub_memcmp (&tree->treehead, treehead, sizeof (struct grub_jfs_treehead)) ||

+	      grub_memcmp (&tree->extents, extents, 254 * sizeof (struct grub_jfs_tree_extent)))

+	    ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);

+	  else

+	    {

+	      grub_error (GRUB_ERR_BAD_FS, "jfs: infinite recursion detected");

+	      ret = -1;

+	    }

+	}

       grub_free (tree);

       return ret;

     }