[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 25/30] fs/f2fs: Do not read past the end of nat journal
From: |
Daniel Kiper |
Subject: |
[SECURITY PATCH 25/30] fs/f2fs: Do not read past the end of nat journal entries |
Date: |
Tue, 7 Jun 2022 19:01:34 +0200 |
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
A corrupt f2fs file system could specify a nat journal entry count
that is beyond the maximum NAT_JOURNAL_ENTRIES.
Check if the specified nat journal entry count before accessing the
array, and throw an error if it is too large.
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/f2fs.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c
index 8a9992ca9..63702214b 100644
--- a/grub-core/fs/f2fs.c
+++ b/grub-core/fs/f2fs.c
@@ -632,23 +632,27 @@ get_nat_journal (struct grub_f2fs_data *data)
return err;
}
-static grub_uint32_t
-get_blkaddr_from_nat_journal (struct grub_f2fs_data *data, grub_uint32_t nid)
+static grub_err_t
+get_blkaddr_from_nat_journal (struct grub_f2fs_data *data, grub_uint32_t nid,
+ grub_uint32_t *blkaddr)
{
grub_uint16_t n = grub_le_to_cpu16 (data->nat_j.n_nats);
- grub_uint32_t blkaddr = 0;
grub_uint16_t i;
+ if (n >= NAT_JOURNAL_ENTRIES)
+ return grub_error (GRUB_ERR_BAD_FS,
+ "invalid number of nat journal entries");
+
for (i = 0; i < n; i++)
{
if (grub_le_to_cpu32 (data->nat_j.entries[i].nid) == nid)
{
- blkaddr = grub_le_to_cpu32 (data->nat_j.entries[i].ne.block_addr);
+ *blkaddr = grub_le_to_cpu32 (data->nat_j.entries[i].ne.block_addr);
break;
}
}
- return blkaddr;
+ return GRUB_ERR_NONE;
}
static grub_uint32_t
@@ -656,10 +660,13 @@ get_node_blkaddr (struct grub_f2fs_data *data,
grub_uint32_t nid)
{
struct grub_f2fs_nat_block *nat_block;
grub_uint32_t seg_off, block_off, entry_off, block_addr;
- grub_uint32_t blkaddr;
+ grub_uint32_t blkaddr = 0;
grub_err_t err;
- blkaddr = get_blkaddr_from_nat_journal (data, nid);
+ err = get_blkaddr_from_nat_journal (data, nid, &blkaddr);
+ if (err != GRUB_ERR_NONE)
+ return 0;
+
if (blkaddr)
return blkaddr;
--
2.11.0
- [SECURITY PATCH 16/30] net/ip: Do IP fragment maths safely, (continued)
- [SECURITY PATCH 16/30] net/ip: Do IP fragment maths safely, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 05/30] kern/file: Do not leak device_name on error in grub_file_open(), Daniel Kiper, 2022/06/07
- [SECURITY PATCH 26/30] fs/f2fs: Do not read past the end of nat bitmap, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 12/30] video/readers/jpeg: Do not reallocate a given huff table, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 03/30] loader/efi/chainloader: Use grub_loader_set_ex(), Daniel Kiper, 2022/06/07
- [SECURITY PATCH 10/30] video/readers/png: Sanity check some huffman codes, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 09/30] video/readers/png: Avoid heap OOB R/W inserting huff table items, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 07/30] video/readers/png: Refuse to handle multiple image headers, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 15/30] normal/charset: Fix array out-of-bounds formatting unicode for display, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 19/30] net/dns: Don't read past the end of the string we're checking against, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 25/30] fs/f2fs: Do not read past the end of nat journal entries,
Daniel Kiper <=
- [SECURITY PATCH 30/30] fs/btrfs: Fix more fuzz issues related to chunks, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 20/30] net/tftp: Prevent a UAF and double-free from a failed seek, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 18/30] net/dns: Fix double-free addresses on corrupt DNS response, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 17/30] net/netbuff: Block overly large netbuff allocs, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 24/30] net/http: Error out on headers with LF without CR, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 08/30] video/readers/png: Drop greyscale support to fix heap out-of-bounds write, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 14/30] video/readers/jpeg: Block int underflow -> wild pointer write, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 27/30] fs/f2fs: Do not copy file names that are too long, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 29/30] fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 28/30] fs/btrfs: Fix several fuzz issues with invalid dir item sizing, Daniel Kiper, 2022/06/07