[SECURITY PATCH 30/30] fs/btrfs: Fix more fuzz issues related to chunks

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY PATCH 30/30] fs/btrfs: Fix more fuzz issues related to chunks

From:	Daniel Kiper
Subject:	[SECURITY PATCH 30/30] fs/btrfs: Fix more fuzz issues related to chunks
Date:	Tue, 7 Jun 2022 19:01:39 +0200

From: Darren Kenny <darren.kenny@oracle.com>

The corpus was generating issues in grub_btrfs_read_logical() when
attempting to iterate over stripe entries in the superblock's
bootmapping.

In most cases the reason for the failure was that the number of stripes
in chunk->nstripes exceeded the possible space statically allocated in
superblock bootmapping space. Each stripe entry in the bootmapping block
consists of a grub_btrfs_key followed by a grub_btrfs_chunk_stripe.

Another issue that came up was that while calculating the chunk size,
in an earlier piece of code in that function, depending on the data
provided in the btrfs file system, it would end up calculating a size
that was too small to contain even 1 grub_btrfs_chunk_item, which is
obviously invalid too.

Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/fs/btrfs.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
index 73b230632..ec72f7be3 100644
--- a/grub-core/fs/btrfs.c
+++ b/grub-core/fs/btrfs.c
@@ -918,6 +918,17 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, 
grub_disk_addr_t addr,
          return grub_error (GRUB_ERR_BAD_FS,
                             "got an invalid zero-size chunk");
        }
+
+      /*
+       * The space being allocated for a chunk should at least be able to
+       * contain one chunk item.
+       */
+      if (chsize < sizeof (struct grub_btrfs_chunk_item))
+       {
+         grub_dprintf ("btrfs", "chunk-size too small\n");
+         return grub_error (GRUB_ERR_BAD_FS,
+                            "got an invalid chunk size");
+       }
       chunk = grub_malloc (chsize);
       if (!chunk)
        return grub_errno;
@@ -1165,6 +1176,13 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, 
grub_disk_addr_t addr,
        if (csize > (grub_uint64_t) size)
          csize = size;
 
+       /*
+        * The space for a chunk stripe is limited to the space provide in the 
super-block's
+        * bootstrap mapping with an initial btrfs key at the start of each 
chunk.
+        */
+       grub_size_t avail_stripes = sizeof (data->sblock.bootstrap_mapping) /
+         (sizeof (struct grub_btrfs_key) + sizeof (struct 
grub_btrfs_chunk_stripe));
+
        for (j = 0; j < 2; j++)
          {
            grub_size_t est_chunk_alloc = 0;
@@ -1191,6 +1209,12 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, 
grub_disk_addr_t addr,
                break;
              }
 
+          if (grub_le_to_cpu16 (chunk->nstripes) > avail_stripes)
+             {
+               err = GRUB_ERR_BAD_FS;
+               break;
+             }
+
            if (is_raid56)
              {
                err = btrfs_read_from_chunk (data, chunk, stripen,
-- 
2.11.0

[Prev in Thread]

Current Thread

[Next in Thread]

[SECURITY PATCH 05/30] kern/file: Do not leak device_name on error in grub_file_open(), (continued)
- [SECURITY PATCH 05/30] kern/file: Do not leak device_name on error in grub_file_open(), Daniel Kiper, 2022/06/07
- [SECURITY PATCH 26/30] fs/f2fs: Do not read past the end of nat bitmap, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 12/30] video/readers/jpeg: Do not reallocate a given huff table, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 03/30] loader/efi/chainloader: Use grub_loader_set_ex(), Daniel Kiper, 2022/06/07
- [SECURITY PATCH 10/30] video/readers/png: Sanity check some huffman codes, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 09/30] video/readers/png: Avoid heap OOB R/W inserting huff table items, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 07/30] video/readers/png: Refuse to handle multiple image headers, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 15/30] normal/charset: Fix array out-of-bounds formatting unicode for display, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 19/30] net/dns: Don't read past the end of the string we're checking against, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 25/30] fs/f2fs: Do not read past the end of nat journal entries, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 30/30] fs/btrfs: Fix more fuzz issues related to chunks, Daniel Kiper <=
- [SECURITY PATCH 20/30] net/tftp: Prevent a UAF and double-free from a failed seek, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 18/30] net/dns: Fix double-free addresses on corrupt DNS response, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 17/30] net/netbuff: Block overly large netbuff allocs, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 24/30] net/http: Error out on headers with LF without CR, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 08/30] video/readers/png: Drop greyscale support to fix heap out-of-bounds write, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 14/30] video/readers/jpeg: Block int underflow -> wild pointer write, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 27/30] fs/f2fs: Do not copy file names that are too long, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 29/30] fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 28/30] fs/btrfs: Fix several fuzz issues with invalid dir item sizing, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 06/30] video/readers/png: Abort sooner if a read operation fails, Daniel Kiper, 2022/06/07

Prev by Date: [SECURITY PATCH 25/30] fs/f2fs: Do not read past the end of nat journal entries
Next by Date: [SECURITY PATCH 20/30] net/tftp: Prevent a UAF and double-free from a failed seek
Previous by thread: [SECURITY PATCH 25/30] fs/f2fs: Do not read past the end of nat journal entries
Next by thread: [SECURITY PATCH 20/30] net/tftp: Prevent a UAF and double-free from a failed seek
Index(es):
- Date
- Thread