74f9c62794
Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com> (cherry picked from commit c141a13130da5dca205b607533751a6ba6c9581e)
47 lines
1.6 KiB
Diff
47 lines
1.6 KiB
Diff
From 6ccc77b59d16578b10eaf8a4fe85c20b229f0d8a Mon Sep 17 00:00:00 2001
|
|
From: Michael Chang <mchang@suse.com>
|
|
Date: Fri, 31 May 2024 15:14:57 +0800
|
|
Subject: [PATCH 19/73] fs/xfs: Fix out-of-bounds read
|
|
|
|
The number of records in the root key array read from disk was not being
|
|
validated against the size of the root node. This could lead to an
|
|
out-of-bounds read.
|
|
|
|
This patch adds a check to ensure that the number of records in the root
|
|
key array does not exceed the expected size of a root node read from
|
|
disk. If this check detects an out-of-bounds condition the operation is
|
|
aborted to prevent random errors due to metadata corruption.
|
|
|
|
Reported-by: Daniel Axtens <dja@axtens.net>
|
|
Signed-off-by: Michael Chang <mchang@suse.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/fs/xfs.c | 11 +++++++++++
|
|
1 file changed, 11 insertions(+)
|
|
|
|
diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
|
|
index 8e02ab4a3..82ea33f40 100644
|
|
--- a/grub-core/fs/xfs.c
|
|
+++ b/grub-core/fs/xfs.c
|
|
@@ -595,6 +595,17 @@ grub_xfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
|
|
do
|
|
{
|
|
grub_uint64_t i;
|
|
+ grub_addr_t keys_end, data_end;
|
|
+
|
|
+ if (grub_mul (sizeof (grub_uint64_t), nrec, &keys_end) ||
|
|
+ grub_add ((grub_addr_t) keys, keys_end, &keys_end) ||
|
|
+ grub_add ((grub_addr_t) node->data, node->data->data_size, &data_end) ||
|
|
+ keys_end > data_end)
|
|
+ {
|
|
+ grub_error (GRUB_ERR_BAD_FS, "invalid number of XFS root keys");
|
|
+ grub_free (leaf);
|
|
+ return 0;
|
|
+ }
|
|
|
|
for (i = 0; i < nrec; i++)
|
|
{
|
|
--
|
|
2.33.0
|
|
|