Blame SOURCES/0408-fs-nilfs2-Reject-too-large-keys.patch

b1bcb2
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b1bcb2
From: Daniel Axtens <dja@axtens.net>
b1bcb2
Date: Mon, 18 Jan 2021 16:49:09 +1100
b1bcb2
Subject: [PATCH] fs/nilfs2: Reject too-large keys
b1bcb2
b1bcb2
NILFS2 has up to 7 keys, per the data structure. Do not permit array
b1bcb2
indices in excess of that.
b1bcb2
b1bcb2
This catches some OOB reads. I don't know how controllable the invalidly
b1bcb2
read data is or if that could be used later in the program.
b1bcb2
b1bcb2
Signed-off-by: Daniel Axtens <dja@axtens.net>
b1bcb2
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b1bcb2
---
b1bcb2
 grub-core/fs/nilfs2.c | 7 ++++++-
b1bcb2
 1 file changed, 6 insertions(+), 1 deletion(-)
b1bcb2
b1bcb2
diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c
b1bcb2
index 388ee188edc..09e89f615bc 100644
b1bcb2
--- a/grub-core/fs/nilfs2.c
b1bcb2
+++ b/grub-core/fs/nilfs2.c
b1bcb2
@@ -569,6 +569,11 @@ grub_nilfs2_btree_lookup (struct grub_nilfs2_data *data,
b1bcb2
 static inline grub_uint64_t
b1bcb2
 grub_nilfs2_direct_lookup (struct grub_nilfs2_inode *inode, grub_uint64_t key)
b1bcb2
 {
b1bcb2
+  if (1 + key > 6)
b1bcb2
+    {
b1bcb2
+      grub_error (GRUB_ERR_BAD_FS, "key is too large");
b1bcb2
+      return 0xffffffffffffffff;
b1bcb2
+    }
b1bcb2
   return grub_le_to_cpu64 (inode->i_bmap[1 + key]);
b1bcb2
 }
b1bcb2
 
b1bcb2
@@ -584,7 +589,7 @@ grub_nilfs2_bmap_lookup (struct grub_nilfs2_data *data,
b1bcb2
     {
b1bcb2
       grub_uint64_t ptr;
b1bcb2
       ptr = grub_nilfs2_direct_lookup (inode, key);
b1bcb2
-      if (need_translate)
b1bcb2
+      if (ptr != ((grub_uint64_t) 0xffffffffffffffff) && need_translate)
b1bcb2
 	ptr = grub_nilfs2_dat_translate (data, ptr);
b1bcb2
       return ptr;
b1bcb2
     }