fs/ext2: Rework out-of-bounds read for inline and external extents
Related: RHEL-79857 Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
This commit is contained in:
parent
6eaa34fe07
commit
9e9b890c89
@ -0,0 +1,65 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Chang via Grub-devel <grub-devel@gnu.org>
|
||||
Date: Fri, 21 Feb 2025 09:06:12 +0800
|
||||
Subject: [PATCH] fs/ext2: Rework out-of-bounds read for inline and external
|
||||
extents
|
||||
|
||||
Previously, the number of extent entries was not properly capped based
|
||||
on the actual available space. This could lead to insufficient reads for
|
||||
external extents, since the computation was based solely on the inline
|
||||
extent layout.
|
||||
|
||||
In this patch, when processing the extent header, we determine whether
|
||||
the header is stored inline (i.e., at inode->blocks.dir_blocks) or in an
|
||||
external extent block. We then clamp the number of entries accordingly
|
||||
(using max_inline_ext for inline extents and max_external_ext for
|
||||
external extent blocks).
|
||||
|
||||
This change ensures that only the valid number of extent entries is
|
||||
processed, preventing out-of-bound reads and potential filesystem
|
||||
corruption.
|
||||
|
||||
Fixes: 7e2f750f0a (fs/ext2: Fix out-of-bounds read for inline extents)
|
||||
|
||||
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
Tested-by: Christian Hesse <mail@eworm.de>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/fs/ext2.c | 15 ++++++++++++++-
|
||||
1 file changed, 14 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
|
||||
index 0ee22e675181..ecf4dc0a33f5 100644
|
||||
--- a/grub-core/fs/ext2.c
|
||||
+++ b/grub-core/fs/ext2.c
|
||||
@@ -482,7 +482,10 @@ grub_ext2_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
|
||||
int i;
|
||||
grub_disk_addr_t ret;
|
||||
grub_uint16_t nent;
|
||||
+ /* maximum number of extent entries in the inode's inline extent area */
|
||||
const grub_uint16_t max_inline_ext = sizeof (inode->blocks) / sizeof (*ext) - 1; /* Minus 1 extent header. */
|
||||
+ /* maximum number of extent entries in the external extent block */
|
||||
+ const grub_uint16_t max_external_ext = EXT2_BLOCK_SIZE(data) / sizeof (*ext) - 1; /* Minus 1 extent header. */
|
||||
|
||||
leaf = grub_ext4_find_leaf (data, (struct grub_ext4_extent_header *) inode->blocks.dir_blocks, fileblock);
|
||||
if (! leaf)
|
||||
@@ -495,8 +498,18 @@ grub_ext2_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
|
||||
|
||||
nent = grub_le_to_cpu16 (leaf->entries);
|
||||
|
||||
- if (leaf->depth == 0)
|
||||
+ /*
|
||||
+ * Determine the effective number of extent entries (nent) to process:
|
||||
+ * If the extent header (leaf) is stored inline in the inode’s block
|
||||
+ * area (i.e. at inode->blocks.dir_blocks), then only max_inline_ext
|
||||
+ * entries can fit.
|
||||
+ * Otherwise, if the header was read from an external extent block, use
|
||||
+ * the larger limit, max_external_ext, based on the full block size.
|
||||
+ */
|
||||
+ if (leaf == (struct grub_ext4_extent_header *) inode->blocks.dir_blocks)
|
||||
nent = grub_min (nent, max_inline_ext);
|
||||
+ else
|
||||
+ nent = grub_min (nent, max_external_ext);
|
||||
|
||||
for (i = 0; i < nent; i++)
|
||||
{
|
@ -451,3 +451,4 @@ Patch0450: 0450-loader-i386-bsd-Use-safe-math-to-avoid-underflow.patch
|
||||
Patch0451: 0451-types-Make-bool-generally-available.patch
|
||||
Patch0452: 0452-include-grub-types.h-Add-PRI-GRUB_OFFSET-and-PRI-GRU.patch
|
||||
Patch0453: 0453-fs-xfs-Fix-issues-found-while-fuzzing-the-XFS-filesy.patch
|
||||
Patch0454: 0454-fs-ext2-Rework-out-of-bounds-read-for-inline-and-ext.patch
|
||||
|
@ -16,7 +16,7 @@
|
||||
Name: grub2
|
||||
Epoch: 1
|
||||
Version: 2.06
|
||||
Release: 96%{?dist}
|
||||
Release: 97%{?dist}
|
||||
Summary: Bootloader with support for Linux, Multiboot and more
|
||||
License: GPLv3+
|
||||
URL: http://www.gnu.org/software/grub/
|
||||
@ -547,6 +547,10 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Feb 26 2025 Nicolas Frayer <nfrayer@redhat.com> - 2.06-97
|
||||
- fs/ext2: Rework out-of-bounds read for inline and external extents
|
||||
- Related: RHEL-79857
|
||||
|
||||
* Wed Feb 12 2025 Nicolas Frayer <nfrayer@redhat.com> - 2.06-96
|
||||
- Fixes for several CVEs
|
||||
- Resolves: CVE-2024-45779 CVE-2024-45778 CVE-2025-1118
|
||||
|
Loading…
Reference in New Issue
Block a user