[PATCH 1/1] fs/udf: validate length of AED in grub_udf_read

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 1/1] fs/udf: validate length of AED in grub_udf_read_block()

From:	Jagannathan Raman
Subject:	[PATCH 1/1] fs/udf: validate length of AED in grub_udf_read_block()
Date:	Thu, 17 Nov 2022 00:17:52 +0000

Validate the length of Allocation Extent Descriptor in
grub_udf_read_block(), based on the details in UDF spec. v2.01 section
2.3.11

Fixes: CID 314037

Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
---
 grub-core/fs/udf.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
index 12e88ab62..d19fa3987 100644
--- a/grub-core/fs/udf.c
+++ b/grub-core/fs/udf.c
@@ -510,6 +510,20 @@ grub_udf_read_block (grub_fshelp_node_t node, 
grub_disk_addr_t fileblock)
                }
 
              len = U32 (extension->ae_len);
+              /*
+               * Ensure AE length is less than block size
+               * per UDF spec v2.01 section 2.3.11
+               *
+               * node->data->lbshift is initialized by
+               * grub_udf_mount(). lbshift has a maximum value
+               * of 3 and it does not cause an overflow here.
+               */
+              if (len < 0 || len > ((grub_ssize_t) 1 << node->data->lbshift))
+                {
+                  grub_error (GRUB_ERR_BAD_FS, "invalid ae length");
+                  goto fail;
+                }
+
              ad = (struct grub_udf_short_ad *)
                    (buf + sizeof (struct grub_udf_aed));
              continue;
@@ -563,6 +577,20 @@ grub_udf_read_block (grub_fshelp_node_t node, 
grub_disk_addr_t fileblock)
                }
 
              len = U32 (extension->ae_len);
+              /*
+               * Ensure AE length is less than block size
+               * per UDF spec v2.01 section 2.3.11
+               *
+               * node->data->lbshift is initialized by
+               * grub_udf_mount(). lbshift has a maximum value
+               * of 3 and it does not cause an overflow here.
+               */
+              if (len < 0 || len > ((grub_ssize_t) 1 << node->data->lbshift))
+                {
+                  grub_error (GRUB_ERR_BAD_FS, "invalid ae length");
+                  goto fail;
+                }
+
              ad = (struct grub_udf_long_ad *)
                    (buf + sizeof (struct grub_udf_aed));
              continue;
-- 
2.20.1

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 0/1] Fix for CID 314037, Jagannathan Raman, 2022/11/16
- [PATCH 1/1] fs/udf: validate length of AED in grub_udf_read_block(), Jagannathan Raman <=
  - Re: [PATCH 1/1] fs/udf: validate length of AED in grub_udf_read_block(), Daniel Kiper, 2022/11/23
    - Re: [PATCH 1/1] fs/udf: validate length of AED in grub_udf_read_block(), Jag Raman, 2022/11/23
    - Re: [PATCH 1/1] fs/udf: validate length of AED in grub_udf_read_block(), Daniel Kiper, 2022/11/23

Prev by Date: [PATCH 0/1] Fix for CID 314037
Next by Date: [PATCH 7/9] fs/iso9660: Fix memory leak in grub_iso9660_susp_iterate
Previous by thread: [PATCH 0/1] Fix for CID 314037
Next by thread: Re: [PATCH 1/1] fs/udf: validate length of AED in grub_udf_read_block()
Index(es):
- Date
- Thread