grub2/backport-fs-iso9660-Avoid-reading-past-the-entry-boundary.patch

From c44b1428c4c7d2bb01359fd885720af87e10b1b2 Mon Sep 17 00:00:00 2001
From: Lidong Chen <lidong.chen@oracle.com>
Date: Fri, 20 Jan 2023 19:39:40 +0000
Subject: fs/iso9660: Avoid reading past the entry boundary

Added a check for the SP entry data boundary before reading it.

Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=c44b1428c4c7d2bb01359fd885720af87e10b1b2
Conflict:NA

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/fs/iso9660.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
index 230048a..ecf6bbe 100644
--- a/grub-core/fs/iso9660.c
+++ b/grub-core/fs/iso9660.c
@@ -415,6 +415,9 @@ set_rockridge (struct grub_iso9660_data *data)
   if (!sua_size)
     return GRUB_ERR_NONE;
 
+  if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ)
+    return grub_error (GRUB_ERR_BAD_FS, "invalid rock ridge entry size");
+
   sua = grub_malloc (sua_size);
   if (! sua)
     return grub_errno;
@@ -441,8 +444,17 @@ set_rockridge (struct grub_iso9660_data *data)
       rootnode.have_symlink = 0;
       rootnode.dirents[0] = data->voldesc.rootdir;
 
-      /* The 2nd data byte stored how many bytes are skipped every time
-	 to get to the SUA (System Usage Area).  */
+      /* The size of SP (version 1) is fixed to 7. */
+      if (sua_size < 7 || entry->len < 7)
+	{
+	  grub_free (sua);
+	  return grub_error (GRUB_ERR_BAD_FS, "corrupted rock ridge entry");
+	}
+
+      /*
+       * The 2nd data byte stored how many bytes are skipped every time
+       * to get to the SUA (System Usage Area).
+       */
       data->susp_skip = entry->data[2];
       entry = (struct grub_iso9660_susp_entry *) ((char *) entry + entry->len);
 
-- 
cgit v1.1
backport some patches from upstream Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com> 2023-04-10 22:22:30 +08:00			`From c44b1428c4c7d2bb01359fd885720af87e10b1b2 Mon Sep 17 00:00:00 2001`
			`From: Lidong Chen <lidong.chen@oracle.com>`
			`Date: Fri, 20 Jan 2023 19:39:40 +0000`
			`Subject: fs/iso9660: Avoid reading past the entry boundary`

			`Added a check for the SP entry data boundary before reading it.`

			`Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=c44b1428c4c7d2bb01359fd885720af87e10b1b2`
			`Conflict:NA`

			`Signed-off-by: Lidong Chen <lidong.chen@oracle.com>`
			`Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>`
			`Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>`
			`---`
			`grub-core/fs/iso9660.c \| 16 ++++++++++++++--`
			`1 file changed, 14 insertions(+), 2 deletions(-)`

			`diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c`
			`index 230048a..ecf6bbe 100644`
			`--- a/grub-core/fs/iso9660.c`
			`+++ b/grub-core/fs/iso9660.c`
			`@@ -415,6 +415,9 @@ set_rockridge (struct grub_iso9660_data *data)`
			`if (!sua_size)`
			`return GRUB_ERR_NONE;`

			`+ if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ)`
			`+ return grub_error (GRUB_ERR_BAD_FS, "invalid rock ridge entry size");`
			`+`
			`sua = grub_malloc (sua_size);`
			`if (! sua)`
			`return grub_errno;`
			`@@ -441,8 +444,17 @@ set_rockridge (struct grub_iso9660_data *data)`
			`rootnode.have_symlink = 0;`
			`rootnode.dirents[0] = data->voldesc.rootdir;`

			`- /* The 2nd data byte stored how many bytes are skipped every time`
			`- to get to the SUA (System Usage Area). */`
			`+ /* The size of SP (version 1) is fixed to 7. */`
			`+ if (sua_size < 7 \|\| entry->len < 7)`
			`+ {`
			`+ grub_free (sua);`
			`+ return grub_error (GRUB_ERR_BAD_FS, "corrupted rock ridge entry");`
			`+ }`
			`+`
			`+ /*`
			`+ * The 2nd data byte stored how many bytes are skipped every time`
			`+ * to get to the SUA (System Usage Area).`
			`+ */`
			`data->susp_skip = entry->data[2];`
			`entry = (struct grub_iso9660_susp_entry ) ((char ) entry + entry->len);`

			`--`
			`cgit v1.1`