dcavalca / rpms / grub2

Forked from rpms/grub2 3 years ago
Clone
80913e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
80913e
From: Daniel Axtens <dja@axtens.net>
80913e
Date: Mon, 18 Jan 2021 15:47:24 +1100
80913e
Subject: [PATCH] fs/jfs: Catch infinite recursion
80913e
80913e
It's possible with a fuzzed filesystem for JFS to keep getblk()-ing
80913e
the same data over and over again, leading to stack exhaustion.
80913e
80913e
Check if we'd be calling the function with exactly the same data as
80913e
was passed in, and if so abort.
80913e
80913e
I'm not sure what the performance impact of this is and am open to
80913e
better ideas.
80913e
80913e
Signed-off-by: Daniel Axtens <dja@axtens.net>
80913e
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
80913e
---
80913e
 grub-core/fs/jfs.c | 11 ++++++++++-
80913e
 1 file changed, 10 insertions(+), 1 deletion(-)
80913e
80913e
diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
80913e
index 6e81f37da6c..20d966abfc0 100644
80913e
--- a/grub-core/fs/jfs.c
80913e
+++ b/grub-core/fs/jfs.c
80913e
@@ -304,7 +304,16 @@ getblk (struct grub_jfs_treehead *treehead,
80913e
 			   << (grub_le_to_cpu16 (data->sblock.log2_blksz)
80913e
 			       - GRUB_DISK_SECTOR_BITS), 0,
80913e
 			   sizeof (*tree), (char *) tree))
80913e
-	ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
80913e
+	{
80913e
+	  if (grub_memcmp (&tree->treehead, treehead, sizeof (struct grub_jfs_treehead)) ||
80913e
+	      grub_memcmp (&tree->extents, extents, 254 * sizeof (struct grub_jfs_tree_extent)))
80913e
+	    ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
80913e
+	  else
80913e
+	    {
80913e
+	      grub_error (GRUB_ERR_BAD_FS, "jfs: infinite recursion detected");
80913e
+	      ret = -1;
80913e
+	    }
80913e
+	}
80913e
       grub_free (tree);
80913e
       return ret;
80913e
     }