[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 075/117] fs/sfs: Fix over-read of root object name
From: |
Daniel Kiper |
Subject: |
[SECURITY PATCH 075/117] fs/sfs: Fix over-read of root object name |
Date: |
Tue, 2 Mar 2021 19:01:22 +0100 |
From: Daniel Axtens <dja@axtens.net>
There's a read of the name of the root object that assumes that the name
is nul-terminated within the root block. This isn't guaranteed - it seems
SFS would require you to read multiple blocks to get a full name in general,
but maybe that doesn't apply to the root object.
Either way, figure out how much space is left in the root block and don't
over-read it. This fixes some OOB reads.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/sfs.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
index de2b107a4..983e88008 100644
--- a/grub-core/fs/sfs.c
+++ b/grub-core/fs/sfs.c
@@ -373,6 +373,7 @@ grub_sfs_mount (grub_disk_t disk)
struct grub_sfs_objc *rootobjc;
char *rootobjc_data = 0;
grub_uint32_t blk;
+ unsigned int max_len;
data = grub_malloc (sizeof (*data));
if (!data)
@@ -421,7 +422,13 @@ grub_sfs_mount (grub_disk_t disk)
data->diropen.data = data;
data->diropen.cache = 0;
data->disk = disk;
- data->label = grub_strdup ((char *) (rootobjc->objects[0].filename));
+
+ /* We only read 1 block of data, so truncate the name if needed. */
+ max_len = ((GRUB_DISK_SECTOR_SIZE << data->log_blocksize)
+ - 24 /* offsetof (struct grub_sfs_objc, objects) */
+ - 25); /* offsetof (struct grub_sfs_obj, filename) */
+ data->label = grub_zalloc (max_len + 1);
+ grub_strncpy (data->label, (char *) rootobjc->objects[0].filename, max_len);
grub_free (rootobjc_data);
return data;
--
2.11.0
- [SECURITY PATCH 087/117] disk/lvm: Don't blast past the end of the circular metadata buffer, (continued)
- [SECURITY PATCH 087/117] disk/lvm: Don't blast past the end of the circular metadata buffer, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 089/117] disk/lvm: Do not crash if an expected string is not found, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 085/117] io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build() fails, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 091/117] disk/lvm: Sanitize rlocn->offset to prevent wild read, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 096/117] kern/parser: Introduce process_char() helper, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 097/117] kern/parser: Introduce terminate_arg() helper, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 080/117] fs/nilfs2: Don't search children if provided number is too large, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 088/117] disk/lvm: Bail on missing PV list, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 099/117] kern/buffer: Add variable sized heap buffer, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 076/117] fs/jfs: Do not move to leaf level if name length is negative, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 075/117] fs/sfs: Fix over-read of root object name,
Daniel Kiper <=
- [SECURITY PATCH 074/117] fs/hfs: Disable under lockdown, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 094/117] fs/btrfs: Squash some uninitialized reads, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 081/117] fs/nilfs2: Properly bail on errors in grub_nilfs2_btree_node_lookup(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 093/117] fs/btrfs: Validate the number of stripes/parities in RAID5/6, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 090/117] disk/lvm: Do not overread metadata, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 095/117] kern/parser: Fix a memory leak, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 092/117] disk/lvm: Do not allow a LV to be it's own segment's node's LV, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 098/117] kern/parser: Refactor grub_parser_split_cmdline() cleanup, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 102/117] util/mkimage: Remove unused code to add BSS section, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 108/117] util/mkimage: Refactor section setup to use a helper, Daniel Kiper, 2021/03/02