52 lines
1.8 KiB
Diff
52 lines
1.8 KiB
Diff
From b541e93b4dab6f652941d086af4fe2da676d0ee3 Mon Sep 17 00:00:00 2001
|
|
From: Lidong Chen <lidong.chen@oracle.com>
|
|
Date: Thu, 28 Sep 2023 22:33:44 +0000
|
|
Subject: [PATCH 1/3] fs/xfs: Incorrect short form directory data boundary
|
|
check
|
|
|
|
After parsing of the current entry, the entry pointer is advanced
|
|
to the next entry at the end of the "for" loop. In case where the
|
|
last entry is at the end of the data boundary, the advanced entry
|
|
pointer can point off the data boundary. The subsequent boundary
|
|
check for the advanced entry pointer can cause a failure.
|
|
|
|
The fix is to include the boundary check into the "for" loop
|
|
condition.
|
|
|
|
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
Tested-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
|
|
Tested-by: Marta Lewandowska <mlewando@redhat.com>
|
|
---
|
|
grub-core/fs/xfs.c | 7 ++-----
|
|
1 file changed, 2 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
|
|
index b91cd32b4..ebf962793 100644
|
|
--- a/grub-core/fs/xfs.c
|
|
+++ b/grub-core/fs/xfs.c
|
|
@@ -810,7 +810,8 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
|
|
if (iterate_dir_call_hook (parent, "..", &ctx))
|
|
return 1;
|
|
|
|
- for (i = 0; i < head->count; i++)
|
|
+ for (i = 0; i < head->count &&
|
|
+ (grub_uint8_t *) de < ((grub_uint8_t *) dir + grub_xfs_fshelp_size (dir->data)); i++)
|
|
{
|
|
grub_uint64_t ino;
|
|
grub_uint8_t *inopos = grub_xfs_inline_de_inopos(dir->data, de);
|
|
@@ -845,10 +846,6 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
|
|
de->name[de->len] = c;
|
|
|
|
de = grub_xfs_inline_next_de(dir->data, head, de);
|
|
-
|
|
- if ((grub_uint8_t *) de >= (grub_uint8_t *) dir + grub_xfs_fshelp_size (dir->data))
|
|
- return grub_error (GRUB_ERR_BAD_FS, "invalid XFS directory entry");
|
|
-
|
|
}
|
|
break;
|
|
}
|
|
--
|
|
2.42.1
|
|
|