[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 078/117] fs/jfs: Catch infinite recursion
From: |
Daniel Kiper |
Subject: |
[SECURITY PATCH 078/117] fs/jfs: Catch infinite recursion |
Date: |
Tue, 2 Mar 2021 19:01:25 +0100 |
From: Daniel Axtens <dja@axtens.net>
It's possible with a fuzzed filesystem for JFS to keep getblk()-ing
the same data over and over again, leading to stack exhaustion.
Check if we'd be calling the function with exactly the same data as
was passed in, and if so abort.
I'm not sure what the performance impact of this is and am open to
better ideas.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/jfs.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
index 804c42d31..6f7c43904 100644
--- a/grub-core/fs/jfs.c
+++ b/grub-core/fs/jfs.c
@@ -304,7 +304,16 @@ getblk (struct grub_jfs_treehead *treehead,
<< (grub_le_to_cpu16 (data->sblock.log2_blksz)
- GRUB_DISK_SECTOR_BITS), 0,
sizeof (*tree), (char *) tree))
- ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
+ {
+ if (grub_memcmp (&tree->treehead, treehead, sizeof (struct
grub_jfs_treehead)) ||
+ grub_memcmp (&tree->extents, extents, 254 * sizeof (struct
grub_jfs_tree_extent)))
+ ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
+ else
+ {
+ grub_error (GRUB_ERR_BAD_FS, "jfs: infinite recursion detected");
+ ret = -1;
+ }
+ }
grub_free (tree);
return ret;
}
--
2.11.0
- [SECURITY PATCH 066/117] kern/misc: Always set *end in grub_strtoull(), (continued)
- [SECURITY PATCH 066/117] kern/misc: Always set *end in grub_strtoull(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 063/117] lib/arg: Block repeated short options that require an argument, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 065/117] commands/menuentry: Fix quoting in setparams_prefix(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 070/117] term/gfxterm: Don't set up a font with glyphs that are too big, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 064/117] script/execute: Don't crash on a "for" loop with no items, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 069/117] video/readers/jpeg: Don't decode data before start of stream, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 068/117] video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 072/117] fs/hfsplus: Don't fetch a key beyond the end of the node, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 071/117] fs/fshelp: Catch impermissibly large block sizes in read helper, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 082/117] io/gzio: Bail if gzio->tl/td is NULL, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 078/117] fs/jfs: Catch infinite recursion,
Daniel Kiper <=
- [SECURITY PATCH 073/117] fs/hfsplus: Don't use uninitialized data on corrupt filesystems, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 083/117] io/gzio: Add init_dynamic_block() clean up if unpacking codes fails, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 079/117] fs/nilfs2: Reject too-large keys, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 077/117] fs/jfs: Limit the extents that getblk() can consider, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 084/117] io/gzio: Catch missing values in huft_build() and bail, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 086/117] disk/lvm: Don't go beyond the end of the data we read from disk, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 087/117] disk/lvm: Don't blast past the end of the circular metadata buffer, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 089/117] disk/lvm: Do not crash if an expected string is not found, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 085/117] io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build() fails, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 091/117] disk/lvm: Sanitize rlocn->offset to prevent wild read, Daniel Kiper, 2021/03/02