fs/ext2: Rework out-of-bounds read for inline and external extents

Related: RHEL-79857
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
This commit is contained in:
Nicolas Frayer 2025-02-26 18:33:42 +01:00
parent 6eaa34fe07
commit 9e9b890c89
3 changed files with 71 additions and 1 deletions

View File

@ -0,0 +1,65 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Michael Chang via Grub-devel <grub-devel@gnu.org>
Date: Fri, 21 Feb 2025 09:06:12 +0800
Subject: [PATCH] fs/ext2: Rework out-of-bounds read for inline and external
extents
Previously, the number of extent entries was not properly capped based
on the actual available space. This could lead to insufficient reads for
external extents, since the computation was based solely on the inline
extent layout.
In this patch, when processing the extent header, we determine whether
the header is stored inline (i.e., at inode->blocks.dir_blocks) or in an
external extent block. We then clamp the number of entries accordingly
(using max_inline_ext for inline extents and max_external_ext for
external extent blocks).
This change ensures that only the valid number of extent entries is
processed, preventing out-of-bound reads and potential filesystem
corruption.
Fixes: 7e2f750f0a (fs/ext2: Fix out-of-bounds read for inline extents)
Signed-off-by: Michael Chang <mchang@suse.com>
Tested-by: Christian Hesse <mail@eworm.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/ext2.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
index 0ee22e675181..ecf4dc0a33f5 100644
--- a/grub-core/fs/ext2.c
+++ b/grub-core/fs/ext2.c
@@ -482,7 +482,10 @@ grub_ext2_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
int i;
grub_disk_addr_t ret;
grub_uint16_t nent;
+ /* maximum number of extent entries in the inode's inline extent area */
const grub_uint16_t max_inline_ext = sizeof (inode->blocks) / sizeof (*ext) - 1; /* Minus 1 extent header. */
+ /* maximum number of extent entries in the external extent block */
+ const grub_uint16_t max_external_ext = EXT2_BLOCK_SIZE(data) / sizeof (*ext) - 1; /* Minus 1 extent header. */
leaf = grub_ext4_find_leaf (data, (struct grub_ext4_extent_header *) inode->blocks.dir_blocks, fileblock);
if (! leaf)
@@ -495,8 +498,18 @@ grub_ext2_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
nent = grub_le_to_cpu16 (leaf->entries);
- if (leaf->depth == 0)
+ /*
+ * Determine the effective number of extent entries (nent) to process:
+ * If the extent header (leaf) is stored inline in the inodes block
+ * area (i.e. at inode->blocks.dir_blocks), then only max_inline_ext
+ * entries can fit.
+ * Otherwise, if the header was read from an external extent block, use
+ * the larger limit, max_external_ext, based on the full block size.
+ */
+ if (leaf == (struct grub_ext4_extent_header *) inode->blocks.dir_blocks)
nent = grub_min (nent, max_inline_ext);
+ else
+ nent = grub_min (nent, max_external_ext);
for (i = 0; i < nent; i++)
{

View File

@ -451,3 +451,4 @@ Patch0450: 0450-loader-i386-bsd-Use-safe-math-to-avoid-underflow.patch
Patch0451: 0451-types-Make-bool-generally-available.patch
Patch0452: 0452-include-grub-types.h-Add-PRI-GRUB_OFFSET-and-PRI-GRU.patch
Patch0453: 0453-fs-xfs-Fix-issues-found-while-fuzzing-the-XFS-filesy.patch
Patch0454: 0454-fs-ext2-Rework-out-of-bounds-read-for-inline-and-ext.patch

View File

@ -16,7 +16,7 @@
Name: grub2
Epoch: 1
Version: 2.06
Release: 96%{?dist}
Release: 97%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more
License: GPLv3+
URL: http://www.gnu.org/software/grub/
@ -547,6 +547,10 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%endif
%changelog
* Wed Feb 26 2025 Nicolas Frayer <nfrayer@redhat.com> - 2.06-97
- fs/ext2: Rework out-of-bounds read for inline and external extents
- Related: RHEL-79857
* Wed Feb 12 2025 Nicolas Frayer <nfrayer@redhat.com> - 2.06-96
- Fixes for several CVEs
- Resolves: CVE-2024-45779 CVE-2024-45778 CVE-2025-1118