boot/grub2/0103-fs-fshelp-Catch-impermissibly-large-block-sizes-in-r.patch - buildroot - Git at Google

 From b5bc456f664bc301ab4cd5a17d3d23c6661c259e Mon Sep 17 00:00:00 2001
 From: Daniel Axtens <dja@axtens.net>
 Date: Mon, 18 Jan 2021 11:46:39 +1100
 Subject: [PATCH] fs/fshelp: Catch impermissibly large block sizes in read
  helper

 A fuzzed HFS+ filesystem had log2blocksize = 22. This gave
 log2blocksize + GRUB_DISK_SECTOR_BITS = 31. 1 << 31 = 0x80000000,
 which is -1 as an int. This caused some wacky behavior later on in
 the function, leading to out-of-bounds writes on the destination buffer.

 Catch log2blocksize + GRUB_DISK_SECTOR_BITS >= 31. We could be stricter,
 but this is the minimum that will prevent integer size weirdness.

 Signed-off-by: Daniel Axtens <dja@axtens.net>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
 ---
  grub-core/fs/fshelp.c | 12 ++++++++++++
  1 file changed, 12 insertions(+)

 diff --git a/grub-core/fs/fshelp.c b/grub-core/fs/fshelp.c
 index 4c902ad..a2d0d29 100644
 --- a/grub-core/fs/fshelp.c
 +++ b/grub-core/fs/fshelp.c
 @@ -362,6 +362,18 @@ grub_fshelp_read_file (grub_disk_t disk, grub_fshelp_node_t node,
    grub_disk_addr_t i, blockcnt;
    int blocksize = 1 << (log2blocksize + GRUB_DISK_SECTOR_BITS);

 +  /*
 +   * Catch blatantly invalid log2blocksize. We could be a lot stricter, but
 +   * this is the most permissive we can be before we start to see integer
 +   * overflow/underflow issues.
 +   */
 +  if (log2blocksize + GRUB_DISK_SECTOR_BITS >= 31)
 +    {
 +      grub_error (GRUB_ERR_OUT_OF_RANGE,
 +		  N_("blocksize too large"));
 +      return -1;
 +    }
 +
    if (pos > filesize)
      {
        grub_error (GRUB_ERR_OUT_OF_RANGE,
 --
 2.14.2
	From b5bc456f664bc301ab4cd5a17d3d23c6661c259e Mon Sep 17 00:00:00 2001
	From: Daniel Axtens <dja@axtens.net>
	Date: Mon, 18 Jan 2021 11:46:39 +1100
	Subject: [PATCH] fs/fshelp: Catch impermissibly large block sizes in read
	helper

	A fuzzed HFS+ filesystem had log2blocksize = 22. This gave
	log2blocksize + GRUB_DISK_SECTOR_BITS = 31. 1 << 31 = 0x80000000,
	which is -1 as an int. This caused some wacky behavior later on in
	the function, leading to out-of-bounds writes on the destination buffer.

	Catch log2blocksize + GRUB_DISK_SECTOR_BITS >= 31. We could be stricter,
	but this is the minimum that will prevent integer size weirdness.

	Signed-off-by: Daniel Axtens <dja@axtens.net>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
	---
	grub-core/fs/fshelp.c \| 12 ++++++++++++
	1 file changed, 12 insertions(+)

	diff --git a/grub-core/fs/fshelp.c b/grub-core/fs/fshelp.c
	index 4c902ad..a2d0d29 100644
	--- a/grub-core/fs/fshelp.c
	+++ b/grub-core/fs/fshelp.c
	@@ -362,6 +362,18 @@ grub_fshelp_read_file (grub_disk_t disk, grub_fshelp_node_t node,
	grub_disk_addr_t i, blockcnt;
	int blocksize = 1 << (log2blocksize + GRUB_DISK_SECTOR_BITS);

	+ /*
	+ * Catch blatantly invalid log2blocksize. We could be a lot stricter, but
	+ * this is the most permissive we can be before we start to see integer
	+ * overflow/underflow issues.
	+ */
	+ if (log2blocksize + GRUB_DISK_SECTOR_BITS >= 31)
	+ {
	+ grub_error (GRUB_ERR_OUT_OF_RANGE,
	+ N_("blocksize too large"));
	+ return -1;
	+ }
	+
	if (pos > filesize)
	{
	grub_error (GRUB_ERR_OUT_OF_RANGE,
	--
	2.14.2