| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748 |
- From 854503d76e7dbc25f999d6be3e2ef4e8067f4152 Mon Sep 17 00:00:00 2001
- From: Michael Chang <mchang@suse.com>
- Date: Fri, 31 May 2024 15:14:57 +0800
- Subject: [PATCH] fs/xfs: Fix out-of-bounds read
- The number of records in the root key array read from disk was not being
- validated against the size of the root node. This could lead to an
- out-of-bounds read.
- This patch adds a check to ensure that the number of records in the root
- key array does not exceed the expected size of a root node read from
- disk. If this check detects an out-of-bounds condition the operation is
- aborted to prevent random errors due to metadata corruption.
- Reported-by: Daniel Axtens <dja@axtens.net>
- Signed-off-by: Michael Chang <mchang@suse.com>
- Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
- Upstream: 6ccc77b59d16578b10eaf8a4fe85c20b229f0d8a
- Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- ---
- grub-core/fs/xfs.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
- diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
- index bc2224dbb..d2d533531 100644
- --- a/grub-core/fs/xfs.c
- +++ b/grub-core/fs/xfs.c
- @@ -595,6 +595,17 @@ grub_xfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
- do
- {
- grub_uint64_t i;
- + grub_addr_t keys_end, data_end;
- +
- + if (grub_mul (sizeof (grub_uint64_t), nrec, &keys_end) ||
- + grub_add ((grub_addr_t) keys, keys_end, &keys_end) ||
- + grub_add ((grub_addr_t) node->data, node->data->data_size, &data_end) ||
- + keys_end > data_end)
- + {
- + grub_error (GRUB_ERR_BAD_FS, "invalid number of XFS root keys");
- + grub_free (leaf);
- + return 0;
- + }
-
- for (i = 0; i < nrec; i++)
- {
- --
- 2.50.1
|
