Home Explore Help
Sign In
PUBLIC_REPOS
/
buildroot
mirror of git://git.buildroot.net/buildroot
2
1
Fork 0
Files
Branch: master
Branches Tags
buildroot
/
boot
/
grub2
/
0011-fs-jfs-Fix-OOB-read-in-jfs_getent.patch

0011-fs-jfs-Fix-OOB-read-in-jfs_getent.patch 2.4 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768 
  1. From b01accc4d132a252f02bf57c31f5fff8ce98a339 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Lidong Chen <lidong.chen@oracle.com>
    3. 

  3. Date: Fri, 22 Nov 2024 06:27:59 +0000
    4. 

  4. Subject: [PATCH] fs/jfs: Fix OOB read in jfs_getent()
    5. 

  5. 

  6. The JFS fuzzing revealed an OOB read in grub_jfs_getent(). The crash
    7. 

  7. was caused by an invalid leaf nodes count, diro->dirpage->header.count,
    8. 

  8. which was larger than the maximum number of leaf nodes allowed in an
    9. 

  9. inode. This fix is to ensure that the leaf nodes count is validated in
    10. 

  10. grub_jfs_opendir() before calling grub_jfs_getent().
    11. 

  11. 

  12. On the occasion replace existing raw numbers with newly defined constant.
    13. 

  13. 

  14. Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
    15. 

  15. Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
    16. 

  16. Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
    17. 

  17. Upstream: 66175696f3a385b14bdf1ebcda7755834bd2d5fb
    18. 

  18. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
    19. 

  19. ---
    20. 

  20.  grub-core/fs/jfs.c | 17 +++++++++++++++--
    21. 

  21.  1 file changed, 15 insertions(+), 2 deletions(-)
    22. 

  22. 

  23. diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
    24. 

  24. index 6f7c43904..32dec7fb7 100644
    25. 

  25. --- a/grub-core/fs/jfs.c
    26. 

  26. +++ b/grub-core/fs/jfs.c
    27. 

  27. @@ -41,6 +41,12 @@ GRUB_MOD_LICENSE ("GPLv3+");
    28. 

  28.  
    29. 

  29.  #define GRUB_JFS_TREE_LEAF	2
    30. 

  30.  
    31. 

  31. +/*
    32. 

  32. + * Define max entries stored in-line in an inode.
    33. 

  33. + * https://jfs.sourceforge.net/project/pub/jfslayout.pdf
    34. 

  34. + */
    35. 

  35. +#define GRUB_JFS_INODE_INLINE_ENTRIES	8
    36. 

  36. +
    37. 

  37.  struct grub_jfs_sblock
    38. 

  38.  {
    39. 

  39.    /* The magic for JFS.  It should contain the string "JFS1".  */
    40. 

  40. @@ -203,9 +209,9 @@ struct grub_jfs_inode
    41. 

  41.  	grub_uint8_t freecnt;
    42. 

  42.  	grub_uint8_t freelist;
    43. 

  43.  	grub_uint32_t idotdot;
    44. 

  44. -	grub_uint8_t sorted[8];
    45. 

  45. +	grub_uint8_t sorted[GRUB_JFS_INODE_INLINE_ENTRIES];
    46. 

  46.        } header;
    47. 

  47. -      struct grub_jfs_leaf_dirent dirents[8];
    48. 

  48. +      struct grub_jfs_leaf_dirent dirents[GRUB_JFS_INODE_INLINE_ENTRIES];
    49. 

  49.      } GRUB_PACKED dir;
    50. 

  50.      /* Fast symlink.  */
    51. 

  51.      struct
    52. 

  52. @@ -453,6 +459,13 @@ grub_jfs_opendir (struct grub_jfs_data *data, struct grub_jfs_inode *inode)
    53. 

  53.    /* Check if the entire tree is contained within the inode.  */
    54. 

  54.    if (inode->file.tree.flags & GRUB_JFS_TREE_LEAF)
    55. 

  55.      {
    56. 

  56. +      if (inode->dir.header.count > GRUB_JFS_INODE_INLINE_ENTRIES)
    57. 

  57. +	{
    58. 

  58. +	  grub_free (diro);
    59. 

  59. +	  grub_error (GRUB_ERR_BAD_FS, N_("invalid JFS inode"));
    60. 

  60. +	  return 0;
    61. 

  61. +	}
    62. 

  62. +
    63. 

  63.        diro->leaf = inode->dir.dirents;
    64. 

  64.        diro->next_leaf = (struct grub_jfs_leaf_next_dirent *) de;
    65. 

  65.        diro->sorted = inode->dir.header.sorted;
    66. 

  66. -- 
    67. 

  67. 2.50.1
    68. 

  68.