[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 036/117] zfs: Fix possible negative shift operation
From: |
Daniel Kiper |
Subject: |
[SECURITY PATCH 036/117] zfs: Fix possible negative shift operation |
Date: |
Tue, 2 Mar 2021 19:00:43 +0100 |
From: Darren Kenny <darren.kenny@oracle.com>
While it is possible for the return value from zfs_log2() to be zero
(0), it is quite unlikely, given that the previous assignment to blksz
is shifted up by SPA_MINBLOCKSHIFT (9) before 9 is subtracted at the
assignment to epbs.
But, while unlikely during a normal operation, it may be that a carefully
crafted ZFS filesystem could result in a zero (0) value to the
dn_datalbkszsec field, which means that the shift left does nothing
and assigns zero (0) to blksz, resulting in a negative epbs value.
Fixes: CID 73608
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/zfs/zfs.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
index b6e1e178d..695e6ea30 100644
--- a/grub-core/fs/zfs/zfs.c
+++ b/grub-core/fs/zfs/zfs.c
@@ -2670,6 +2670,11 @@ dnode_get (dnode_end_t * mdn, grub_uint64_t objnum,
grub_uint8_t type,
blksz = grub_zfs_to_cpu16 (mdn->dn.dn_datablkszsec,
mdn->endian) << SPA_MINBLOCKSHIFT;
epbs = zfs_log2 (blksz) - DNODE_SHIFT;
+
+ /* While this should never happen, we should check that epbs is not
negative. */
+ if (epbs < 0)
+ epbs = 0;
+
blkid = objnum >> epbs;
idx = objnum & ((1 << epbs) - 1);
--
2.11.0
- [SECURITY PATCH 026/117] gnulib/regexec: Fix possible null-dereference, (continued)
- [SECURITY PATCH 026/117] gnulib/regexec: Fix possible null-dereference, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 030/117] kern/partition: Check for NULL before dereferencing input string, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 029/117] zstd: Initialize seq_t structure fully, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 033/117] disk/ldm: Fix memory leak on uninserted lv references, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 027/117] gnulib/regcomp: Fix uninitialized re_token, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 031/117] disk/ldm: Make sure comp data is freed before exiting from make_vg(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 034/117] disk/cryptodisk: Fix potential integer overflow, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 035/117] hfsplus: Check that the volume name length is valid, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 036/117] zfs: Fix possible negative shift operation,
Daniel Kiper <=
- [SECURITY PATCH 028/117] io/lzopio: Resolve unnecessary self-assignment errors, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 039/117] zfsinfo: Correct a check for error allocating memory, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 032/117] disk/ldm: If failed then free vg variable too, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 040/117] affs: Fix memory leaks, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 038/117] zfs: Fix possible integer overflows, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 037/117] zfs: Fix resource leaks while constructing path, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 041/117] libgcrypt/mpi: Fix possible unintended sign extension, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 044/117] normal/completion: Fix leaking of memory when processing a completion, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 043/117] syslinux: Fix memory leak while parsing, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 045/117] commands/hashsum: Fix a memory leak, Daniel Kiper, 2021/03/02