grub2/0026-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch

From c1013c295f1e32620db302470f126df0c6a0d5a5 Mon Sep 17 00:00:00 2001
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Date: Wed, 6 Apr 2022 18:03:37 +0530
Subject: [PATCH 26/32] fs/f2fs: Do not read past the end of nat journal
 entries

A corrupt f2fs file system could specify a nat journal entry count
that is beyond the maximum NAT_JOURNAL_ENTRIES.

Check if the specified nat journal entry count before accessing the
array, and throw an error if it is too large.

Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/fs/f2fs.c | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c
index 8a9992ca9e..63702214b0 100644
--- a/grub-core/fs/f2fs.c
+++ b/grub-core/fs/f2fs.c
@@ -632,23 +632,27 @@ get_nat_journal (struct grub_f2fs_data *data)
   return err;
 }
 
-static grub_uint32_t
-get_blkaddr_from_nat_journal (struct grub_f2fs_data *data, grub_uint32_t nid)
+static grub_err_t
+get_blkaddr_from_nat_journal (struct grub_f2fs_data *data, grub_uint32_t nid,
+                              grub_uint32_t *blkaddr)
 {
   grub_uint16_t n = grub_le_to_cpu16 (data->nat_j.n_nats);
-  grub_uint32_t blkaddr = 0;
   grub_uint16_t i;
 
+  if (n >= NAT_JOURNAL_ENTRIES)
+    return grub_error (GRUB_ERR_BAD_FS,
+                       "invalid number of nat journal entries");
+
   for (i = 0; i < n; i++)
     {
       if (grub_le_to_cpu32 (data->nat_j.entries[i].nid) == nid)
         {
-          blkaddr = grub_le_to_cpu32 (data->nat_j.entries[i].ne.block_addr);
+          *blkaddr = grub_le_to_cpu32 (data->nat_j.entries[i].ne.block_addr);
           break;
         }
     }
 
-  return blkaddr;
+  return GRUB_ERR_NONE;
 }
 
 static grub_uint32_t
@@ -656,10 +660,13 @@ get_node_blkaddr (struct grub_f2fs_data *data, grub_uint32_t nid)
 {
   struct grub_f2fs_nat_block *nat_block;
   grub_uint32_t seg_off, block_off, entry_off, block_addr;
-  grub_uint32_t blkaddr;
+  grub_uint32_t blkaddr = 0;
   grub_err_t err;
 
-  blkaddr = get_blkaddr_from_nat_journal (data, nid);
+  err = get_blkaddr_from_nat_journal (data, nid, &blkaddr);
+  if (err != GRUB_ERR_NONE)
+    return 0;
+
   if (blkaddr)
     return blkaddr;
 
-- 
2.34.1
Accepting request 981228 from home:michael-chang:branches:Base:System - Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581) * 0001-video-Remove-trailing-whitespaces.patch * 0002-loader-efi-chainloader-Simplify-the-loader-state.patch * 0003-commands-boot-Add-API-to-pass-context-to-loader.patch - Fix CVE-2022-28736 (bsc#1198496) * 0004-loader-efi-chainloader-Use-grub_loader_set_ex.patch - Fix CVE-2022-28735 (bsc#1198495) * 0005-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch * 0006-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch * 0007-video-readers-png-Abort-sooner-if-a-read-operation-f.patch * 0008-video-readers-png-Refuse-to-handle-multiple-image-he.patch - Fix CVE-2021-3695 (bsc#1191184) * 0009-video-readers-png-Drop-greyscale-support-to-fix-heap.patch - Fix CVE-2021-3696 (bsc#1191185) * 0010-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch * 0011-video-readers-png-Sanity-check-some-huffman-codes.patch * 0012-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch * 0013-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch * 0014-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch - Fix CVE-2021-3697 (bsc#1191186) * 0015-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch * 0016-normal-charset-Fix-array-out-of-bounds-formatting-un.patch - Fix CVE-2022-28733 (bsc#1198460) * 0017-net-ip-Do-IP-fragment-maths-safely.patch * 0018-net-netbuff-Block-overly-large-netbuff-allocs.patch * 0019-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch * 0020-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch * 0021-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch * 0022-net-tftp-Avoid-a-trivial-UAF.patch * 0023-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch OBS-URL: https://build.opensuse.org/request/show/981228 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=416 2022-06-08 05:04:17 +02:00			`From c1013c295f1e32620db302470f126df0c6a0d5a5 Mon Sep 17 00:00:00 2001`
			`From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>`
			`Date: Wed, 6 Apr 2022 18:03:37 +0530`
			`Subject: [PATCH 26/32] fs/f2fs: Do not read past the end of nat journal`
			`entries`

			`A corrupt f2fs file system could specify a nat journal entry count`
			`that is beyond the maximum NAT_JOURNAL_ENTRIES.`

			`Check if the specified nat journal entry count before accessing the`
			`array, and throw an error if it is too large.`

			`Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>`
			`Signed-off-by: Daniel Axtens <dja@axtens.net>`
			`Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>`
			`---`
			`grub-core/fs/f2fs.c \| 21 ++++++++++++++-------`
			`1 file changed, 14 insertions(+), 7 deletions(-)`

			`diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c`
			`index 8a9992ca9e..63702214b0 100644`
			`--- a/grub-core/fs/f2fs.c`
			`+++ b/grub-core/fs/f2fs.c`
			`@@ -632,23 +632,27 @@ get_nat_journal (struct grub_f2fs_data *data)`
			`return err;`
			`}`

			`-static grub_uint32_t`
			`-get_blkaddr_from_nat_journal (struct grub_f2fs_data *data, grub_uint32_t nid)`
			`+static grub_err_t`
			`+get_blkaddr_from_nat_journal (struct grub_f2fs_data *data, grub_uint32_t nid,`
			`+ grub_uint32_t *blkaddr)`
			`{`
			`grub_uint16_t n = grub_le_to_cpu16 (data->nat_j.n_nats);`
			`- grub_uint32_t blkaddr = 0;`
			`grub_uint16_t i;`

			`+ if (n >= NAT_JOURNAL_ENTRIES)`
			`+ return grub_error (GRUB_ERR_BAD_FS,`
			`+ "invalid number of nat journal entries");`
			`+`
			`for (i = 0; i < n; i++)`
			`{`
			`if (grub_le_to_cpu32 (data->nat_j.entries[i].nid) == nid)`
			`{`
			`- blkaddr = grub_le_to_cpu32 (data->nat_j.entries[i].ne.block_addr);`
			`+ *blkaddr = grub_le_to_cpu32 (data->nat_j.entries[i].ne.block_addr);`
			`break;`
			`}`
			`}`

			`- return blkaddr;`
			`+ return GRUB_ERR_NONE;`
			`}`

			`static grub_uint32_t`
			`@@ -656,10 +660,13 @@ get_node_blkaddr (struct grub_f2fs_data *data, grub_uint32_t nid)`
			`{`
			`struct grub_f2fs_nat_block *nat_block;`
			`grub_uint32_t seg_off, block_off, entry_off, block_addr;`
			`- grub_uint32_t blkaddr;`
			`+ grub_uint32_t blkaddr = 0;`
			`grub_err_t err;`

			`- blkaddr = get_blkaddr_from_nat_journal (data, nid);`
			`+ err = get_blkaddr_from_nat_journal (data, nid, &blkaddr);`
			`+ if (err != GRUB_ERR_NONE)`
			`+ return 0;`
			`+`
			`if (blkaddr)`
			`return blkaddr;`

			`--`
			`2.34.1`