[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 28/30] fs/btrfs: Fix several fuzz issues with invalid di
From: |
Daniel Kiper |
Subject: |
[SECURITY PATCH 28/30] fs/btrfs: Fix several fuzz issues with invalid dir item sizing |
Date: |
Tue, 7 Jun 2022 19:01:37 +0200 |
From: Darren Kenny <darren.kenny@oracle.com>
According to the btrfs code in Linux, the structure of a directory item
leaf should be of the form:
|struct btrfs_dir_item|name|data|
in GRUB the name len and data len are in the grub_btrfs_dir_item
structure's n and m fields respectively.
The combined size of the structure, name and data should be less than
the allocated memory, a difference to the Linux kernel's struct
btrfs_dir_item is that the grub_btrfs_dir_item has an extra field for
where the name is stored, so we adjust for that too.
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/btrfs.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
index 937153306..139c6616d 100644
--- a/grub-core/fs/btrfs.c
+++ b/grub-core/fs/btrfs.c
@@ -1991,6 +1991,7 @@ grub_btrfs_dir (grub_device_t device, const char *path,
int r = 0;
grub_uint64_t tree;
grub_uint8_t type;
+ grub_size_t est_size = 0;
if (!data)
return grub_errno;
@@ -2049,6 +2050,18 @@ grub_btrfs_dir (grub_device_t device, const char *path,
break;
}
+ if (direl == NULL ||
+ grub_add (grub_le_to_cpu16 (direl->n),
+ grub_le_to_cpu16 (direl->m), &est_size) ||
+ grub_add (est_size, sizeof (*direl), &est_size) ||
+ grub_sub (est_size, sizeof (direl->name), &est_size) ||
+ est_size > allocated)
+ {
+ grub_errno = GRUB_ERR_OUT_OF_RANGE;
+ r = -grub_errno;
+ goto out;
+ }
+
for (cdirel = direl;
(grub_uint8_t *) cdirel - (grub_uint8_t *) direl
< (grub_ssize_t) elemsize;
@@ -2059,6 +2072,19 @@ grub_btrfs_dir (grub_device_t device, const char *path,
char c;
struct grub_btrfs_inode inode;
struct grub_dirhook_info info;
+
+ if (cdirel == NULL ||
+ grub_add (grub_le_to_cpu16 (cdirel->n),
+ grub_le_to_cpu16 (cdirel->m), &est_size) ||
+ grub_add (est_size, sizeof (*cdirel), &est_size) ||
+ grub_sub (est_size, sizeof (cdirel->name), &est_size) ||
+ est_size > allocated)
+ {
+ grub_errno = GRUB_ERR_OUT_OF_RANGE;
+ r = -grub_errno;
+ goto out;
+ }
+
err = grub_btrfs_read_inode (data, &inode, cdirel->key.object_id,
tree);
grub_memset (&info, 0, sizeof (info));
--
2.11.0
- [SECURITY PATCH 25/30] fs/f2fs: Do not read past the end of nat journal entries, (continued)
- [SECURITY PATCH 25/30] fs/f2fs: Do not read past the end of nat journal entries, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 30/30] fs/btrfs: Fix more fuzz issues related to chunks, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 20/30] net/tftp: Prevent a UAF and double-free from a failed seek, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 18/30] net/dns: Fix double-free addresses on corrupt DNS response, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 17/30] net/netbuff: Block overly large netbuff allocs, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 24/30] net/http: Error out on headers with LF without CR, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 08/30] video/readers/png: Drop greyscale support to fix heap out-of-bounds write, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 14/30] video/readers/jpeg: Block int underflow -> wild pointer write, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 27/30] fs/f2fs: Do not copy file names that are too long, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 29/30] fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 28/30] fs/btrfs: Fix several fuzz issues with invalid dir item sizing,
Daniel Kiper <=
- [SECURITY PATCH 06/30] video/readers/png: Abort sooner if a read operation fails, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 21/30] net/tftp: Avoid a trivial UAF, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 22/30] net/http: Do not tear down socket if it's already been torn down, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 23/30] net/http: Fix OOB write for split http headers, Daniel Kiper, 2022/06/07