| From 223120dd83745126cb232a0248c9a8901d7e350d Mon Sep 17 00:00:00 2001 |
| From: Daniel Axtens <dja@axtens.net> |
| Date: Mon, 18 Jan 2021 15:47:24 +1100 |
| Subject: [PATCH] fs/jfs: Catch infinite recursion |
| |
| It's possible with a fuzzed filesystem for JFS to keep getblk()-ing |
| the same data over and over again, leading to stack exhaustion. |
| |
| Check if we'd be calling the function with exactly the same data as |
| was passed in, and if so abort. |
| |
| I'm not sure what the performance impact of this is and am open to |
| better ideas. |
| |
| Signed-off-by: Daniel Axtens <dja@axtens.net> |
| Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
| Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> |
| --- |
| grub-core/fs/jfs.c | 11 ++++++++++- |
| 1 file changed, 10 insertions(+), 1 deletion(-) |
| |
| diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c |
| index 804c42d..6f7c439 100644 |
| --- a/grub-core/fs/jfs.c |
| +++ b/grub-core/fs/jfs.c |
| @@ -304,7 +304,16 @@ getblk (struct grub_jfs_treehead *treehead, |
| << (grub_le_to_cpu16 (data->sblock.log2_blksz) |
| - GRUB_DISK_SECTOR_BITS), 0, |
| sizeof (*tree), (char *) tree)) |
| - ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk); |
| + { |
| + if (grub_memcmp (&tree->treehead, treehead, sizeof (struct grub_jfs_treehead)) || |
| + grub_memcmp (&tree->extents, extents, 254 * sizeof (struct grub_jfs_tree_extent))) |
| + ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk); |
| + else |
| + { |
| + grub_error (GRUB_ERR_BAD_FS, "jfs: infinite recursion detected"); |
| + ret = -1; |
| + } |
| + } |
| grub_free (tree); |
| return ret; |
| } |
| -- |
| 2.14.2 |
| |