master

分支 (10)

标签 (5)

管理

管理

master

openEuler-20.03-LTS-SP2

openEuler-20.03-LTS-SP1

openEuler-20.03-LTS-Next

openEuler-20.03-LTS

openEuler-21.09

openEuler-21.03

openEuler-20.09

openEuler1.0

openEuler1.0-base

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

grub2
/
backport-0050-fs-jfs-Limit-the-extent...

From 53d8b876fbe2b507845e81a7758a8bbe5f1d4f2d Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Mon, 18 Jan 2021 14:57:17 +1100
Subject: [PATCH] fs/jfs: Limit the extents that getblk() can consider

getblk() implicitly trusts that treehead->count is an accurate count of
the number of extents. However, that value is read from disk and is not
trustworthy, leading to OOB reads and crashes. I am not sure to what
extent the data read from OOB can influence subsequent program execution.

Require callers to pass in the maximum number of extents for which
they have storage.

Reference: http://git.savannah.gnu.org/cgit/grub.git/commit/?id=bd0cf8148ccf721f6e39ffbd70f8abad0c8897f0

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/fs/jfs.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
index e5bbda6..804c42d 100644
--- a/grub-core/fs/jfs.c
+++ b/grub-core/fs/jfs.c
@@ -261,13 +261,15 @@ static grub_err_t grub_jfs_lookup_symlink (struct grub_jfs_data *data, grub_uint
 static grub_int64_t
 getblk (struct grub_jfs_treehead *treehead,
 	struct grub_jfs_tree_extent *extents,
+	int max_extents,
 	struct grub_jfs_data *data,
 	grub_uint64_t blk)
 {
   int found = -1;
   int i;

-  for (i = 0; i < grub_le_to_cpu16 (treehead->count) - 2; i++)
+  for (i = 0; i < grub_le_to_cpu16 (treehead->count) - 2 &&
+	      i < max_extents; i++)
     {
       if (treehead->flags & GRUB_JFS_TREE_LEAF)
 	{
@@ -302,7 +304,7 @@ getblk (struct grub_jfs_treehead *treehead,
 			   << (grub_le_to_cpu16 (data->sblock.log2_blksz)
 			       - GRUB_DISK_SECTOR_BITS), 0,
 			   sizeof (*tree), (char *) tree))
-	ret = getblk (&tree->treehead, &tree->extents[0], data, blk);
+	ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
       grub_free (tree);
       return ret;
     }
@@ -316,7 +318,7 @@ static grub_int64_t
 grub_jfs_blkno (struct grub_jfs_data *data, struct grub_jfs_inode *inode,
 		grub_uint64_t blk)
 {
-  return getblk (&inode->file.tree, &inode->file.extents[0], data, blk);
+  return getblk (&inode->file.tree, &inode->file.extents[0], 16, data, blk);
 }


--
2.19.1