Blame SOURCES/0442-fs-sfs-Fix-over-read-of-root-object-name.patch

468bd4
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
468bd4
From: Daniel Axtens <dja@axtens.net>
468bd4
Date: Mon, 18 Jan 2021 14:34:58 +1100
468bd4
Subject: [PATCH] fs/sfs: Fix over-read of root object name
468bd4
468bd4
There's a read of the name of the root object that assumes that the name
468bd4
is nul-terminated within the root block. This isn't guaranteed - it seems
468bd4
SFS would require you to read multiple blocks to get a full name in general,
468bd4
but maybe that doesn't apply to the root object.
468bd4
468bd4
Either way, figure out how much space is left in the root block and don't
468bd4
over-read it. This fixes some OOB reads.
468bd4
468bd4
Signed-off-by: Daniel Axtens <dja@axtens.net>
468bd4
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
468bd4
---
468bd4
 grub-core/fs/sfs.c | 9 ++++++++-
468bd4
 1 file changed, 8 insertions(+), 1 deletion(-)
468bd4
468bd4
diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
468bd4
index 3ddc6b5e287..61d6c303cb3 100644
468bd4
--- a/grub-core/fs/sfs.c
468bd4
+++ b/grub-core/fs/sfs.c
468bd4
@@ -373,6 +373,7 @@ grub_sfs_mount (grub_disk_t disk)
468bd4
   struct grub_sfs_objc *rootobjc;
468bd4
   char *rootobjc_data = 0;
468bd4
   grub_uint32_t blk;
468bd4
+  unsigned int max_len;
468bd4
 
468bd4
   data = grub_malloc (sizeof (*data));
468bd4
   if (!data)
468bd4
@@ -421,7 +422,13 @@ grub_sfs_mount (grub_disk_t disk)
468bd4
   data->diropen.data = data;
468bd4
   data->diropen.cache = 0;
468bd4
   data->disk = disk;
468bd4
-  data->label = grub_strdup ((char *) (rootobjc->objects[0].filename));
468bd4
+
468bd4
+  /* We only read 1 block of data, so truncate the name if needed. */
468bd4
+  max_len = ((GRUB_DISK_SECTOR_SIZE << data->log_blocksize)
468bd4
+	     - 24    /* offsetof (struct grub_sfs_objc, objects) */
468bd4
+	     - 25);  /* offsetof (struct grub_sfs_obj, filename) */
468bd4
+  data->label = grub_zalloc (max_len + 1);
468bd4
+  grub_strncpy (data->label, (char *) rootobjc->objects[0].filename, max_len);
468bd4
 
468bd4
   grub_free (rootobjc_data);
468bd4
   return data;