Import from CS git

SOURCES/0677-fs-ext2-Rework-out-of-bounds-read-for-inline-and-ext.patch

@@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Fri, 21 Feb 2025 09:06:12 +0800
+Subject: [PATCH] fs/ext2: Rework out-of-bounds read for inline and external
+ extents
+
+Previously, the number of extent entries was not properly capped based
+on the actual available space. This could lead to insufficient reads for
+external extents since the computation was based solely on the inline
+extent layout.
+
+In this patch, when processing the extent header we determine whether
+the header is stored inline, i.e. at inode->blocks.dir_blocks, or in an
+external extent block. We then clamp the number of entries accordingly
+(using max_inline_ext for inline extents and max_external_ext for
+external extent blocks).
+
+This change ensures that only the valid number of extent entries is
+processed preventing out-of-bound reads and potential filesystem
+corruption.
+
+Fixes: 7e2f750f0a (fs/ext2: Fix out-of-bounds read for inline extents)
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+Tested-by: Christian Hesse <mail@eworm.de>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ext2.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
+index dc62a6c..b144549 100644
+--- a/grub-core/fs/ext2.c
++++ b/grub-core/fs/ext2.c
+@@ -474,7 +474,10 @@ grub_ext2_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
+       int i;
+       grub_disk_addr_t ret;
+       grub_uint16_t nent;
++      /* Maximum number of extent entries in the inode's inline extent area. */
+       const grub_uint16_t max_inline_ext = sizeof (inode->blocks) / sizeof (*ext) - 1; /* Minus 1 extent header. */
++      /* Maximum number of extent entries in the external extent block. */
++      const grub_uint16_t max_external_ext = EXT2_BLOCK_SIZE (data) / sizeof (*ext) - 1; /* Minus 1 extent header. */
+
+       leaf = grub_ext4_find_leaf (data, (struct grub_ext4_extent_header *) inode->blocks.dir_blocks, fileblock);
+       if (! leaf)
+@@ -487,8 +490,18 @@ grub_ext2_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
+
+       nent = grub_le_to_cpu16 (leaf->entries);
+
+-      if (leaf->depth == 0)
++      /*
++       * Determine the effective number of extent entries (nent) to process.
++       * If the extent header (leaf) is stored inline in the inode’s block
++       * area, i.e. at inode->blocks.dir_blocks, then only max_inline_ext
++       * entries can fit. Otherwise, if the header was read from an external
++       * extent block use the larger limit, max_external_ext, based on the
++       * full block size.
++       */
++      if (leaf == (struct grub_ext4_extent_header *) inode->blocks.dir_blocks)
+         nent = grub_min (nent, max_inline_ext);
++      else
++	nent = grub_min (nent, max_external_ext);
+
+       for (i = 0; i < nent; i++)
+         {

SOURCES/grub.patches

@@ -673,3 +673,4 @@ Patch0673: 0673-fs-xfs-Fix-XFS-directory-extent-parsing.patch
 Patch0674: 0674-fs-xfs-Add-large-extent-counters-incompat-feature-su.patch
 Patch0675: 0675-fs-xfs-Handle-non-continuous-data-blocks-in-director.patch
 Patch0676: 0676-fs-xfs-fix-large-extent-counters-incompat-feature-su.patch
+Patch0677: 0677-fs-ext2-Rework-out-of-bounds-read-for-inline-and-ext.patch

SPECS/grub2.spec

@@ -7,7 +7,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.02
-Release:	164%{?dist}
+Release:	165%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 Group:		System Environment/Base
 License:	GPLv3+
@@ -523,6 +523,10 @@ fi
 %endif
 
 %changelog
+* Thu Apr 17 2025 Nicolas Frayer <nfrayer@redhat.com> - 2.02-165
+- fs/ext2: Rework of OOB read patch
+- Resolves: #RHEL-86553
+
 * Fri Apr 4 2025 Leo Sandoval <lsandova@redhat.com> - 2.02-164
 - Bump NVR to sign the build
 - Resolves: #RHEL-85627