From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>

Date: Wed, 6 Apr 2022 18:17:43 +0530

Subject: [PATCH] fs/f2fs: Do not copy file names that are too long

A corrupt f2fs file system might specify a name length which is greater

than the maximum name length supported by the GRUB f2fs driver.

We will allocate enough memory to store the overly long name, but there

are only F2FS_NAME_LEN bytes in the source, so we would read past the end

of the source.

While checking directory entries, do not copy a file name with an invalid

length.

Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>

Signed-off-by: Daniel Axtens <dja@axtens.net>

Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

(cherry picked from commit 9a891f638509e031d322c94e3cbcf38d36f3993a)

(cherry picked from commit 13f9160ae0d2806baed459884999356817096cd7)

(cherry picked from commit a48ba4d48b3c66431e6bbeb386078efc6602110c)

---

 grub-core/fs/f2fs.c | 4 ++++

 1 file changed, 4 insertions(+)

diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c

index 33e565b180..07ea34196c 100644

--- a/grub-core/fs/f2fs.c

+++ b/grub-core/fs/f2fs.c

@@ -998,6 +998,10 @@ grub_f2fs_check_dentries (struct grub_f2fs_dir_iter_ctx *ctx)

       ftype = ctx->dentry[i].file_type;

       name_len = grub_le_to_cpu16 (ctx->dentry[i].name_len);

+

+      if (name_len >= F2FS_NAME_LEN)

+        return 0;

+

       filename = grub_malloc (name_len + 1);

       if (!filename)

         return 0;