nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0242-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch

b35c50
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b35c50
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
b35c50
Date: Wed, 6 Apr 2022 18:17:43 +0530
b35c50
Subject: [PATCH] fs/f2fs: Do not copy file names that are too long
b35c50
b35c50
A corrupt f2fs file system might specify a name length which is greater
b35c50
than the maximum name length supported by the GRUB f2fs driver.
b35c50
b35c50
We will allocate enough memory to store the overly long name, but there
b35c50
are only F2FS_NAME_LEN bytes in the source, so we would read past the end
b35c50
of the source.
b35c50
b35c50
While checking directory entries, do not copy a file name with an invalid
b35c50
length.
b35c50
b35c50
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
b35c50
Signed-off-by: Daniel Axtens <dja@axtens.net>
b35c50
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b35c50
(cherry picked from commit 9a891f638509e031d322c94e3cbcf38d36f3993a)
b35c50
---
b35c50
 grub-core/fs/f2fs.c | 4 ++++
b35c50
 1 file changed, 4 insertions(+)
b35c50
b35c50
diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c
b35c50
index 8898b235e0..df6beb544c 100644
b35c50
--- a/grub-core/fs/f2fs.c
b35c50
+++ b/grub-core/fs/f2fs.c
b35c50
@@ -1003,6 +1003,10 @@ grub_f2fs_check_dentries (struct grub_f2fs_dir_iter_ctx *ctx)
b35c50
 
b35c50
       ftype = ctx->dentry[i].file_type;
b35c50
       name_len = grub_le_to_cpu16 (ctx->dentry[i].name_len);
b35c50
+
b35c50
+      if (name_len >= F2FS_NAME_LEN)
b35c50
+        return 0;
b35c50
+
b35c50
       filename = grub_malloc (name_len + 1);
b35c50
       if (!filename)
b35c50
         return 0;