|
|
468bd4 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
468bd4 |
From: Daniel Axtens <dja@axtens.net>
|
|
|
468bd4 |
Date: Mon, 18 Jan 2021 14:34:58 +1100
|
|
|
468bd4 |
Subject: [PATCH] fs/sfs: Fix over-read of root object name
|
|
|
468bd4 |
|
|
|
468bd4 |
There's a read of the name of the root object that assumes that the name
|
|
|
468bd4 |
is nul-terminated within the root block. This isn't guaranteed - it seems
|
|
|
468bd4 |
SFS would require you to read multiple blocks to get a full name in general,
|
|
|
468bd4 |
but maybe that doesn't apply to the root object.
|
|
|
468bd4 |
|
|
|
468bd4 |
Either way, figure out how much space is left in the root block and don't
|
|
|
468bd4 |
over-read it. This fixes some OOB reads.
|
|
|
468bd4 |
|
|
|
468bd4 |
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
|
468bd4 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
468bd4 |
---
|
|
|
468bd4 |
grub-core/fs/sfs.c | 9 ++++++++-
|
|
|
468bd4 |
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
|
468bd4 |
|
|
|
468bd4 |
diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
|
|
|
468bd4 |
index 3ddc6b5e287..61d6c303cb3 100644
|
|
|
468bd4 |
--- a/grub-core/fs/sfs.c
|
|
|
468bd4 |
+++ b/grub-core/fs/sfs.c
|
|
|
468bd4 |
@@ -373,6 +373,7 @@ grub_sfs_mount (grub_disk_t disk)
|
|
|
468bd4 |
struct grub_sfs_objc *rootobjc;
|
|
|
468bd4 |
char *rootobjc_data = 0;
|
|
|
468bd4 |
grub_uint32_t blk;
|
|
|
468bd4 |
+ unsigned int max_len;
|
|
|
468bd4 |
|
|
|
468bd4 |
data = grub_malloc (sizeof (*data));
|
|
|
468bd4 |
if (!data)
|
|
|
468bd4 |
@@ -421,7 +422,13 @@ grub_sfs_mount (grub_disk_t disk)
|
|
|
468bd4 |
data->diropen.data = data;
|
|
|
468bd4 |
data->diropen.cache = 0;
|
|
|
468bd4 |
data->disk = disk;
|
|
|
468bd4 |
- data->label = grub_strdup ((char *) (rootobjc->objects[0].filename));
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+ /* We only read 1 block of data, so truncate the name if needed. */
|
|
|
468bd4 |
+ max_len = ((GRUB_DISK_SECTOR_SIZE << data->log_blocksize)
|
|
|
468bd4 |
+ - 24 /* offsetof (struct grub_sfs_objc, objects) */
|
|
|
468bd4 |
+ - 25); /* offsetof (struct grub_sfs_obj, filename) */
|
|
|
468bd4 |
+ data->label = grub_zalloc (max_len + 1);
|
|
|
468bd4 |
+ grub_strncpy (data->label, (char *) rootobjc->objects[0].filename, max_len);
|
|
|
468bd4 |
|
|
|
468bd4 |
grub_free (rootobjc_data);
|
|
|
468bd4 |
return data;
|