From 270099a784d7dc0d251a8be1fed57e55f4dd4f8f Mon Sep 17 00:00:00 2001 From: Lidong Chen Date: Thu, 28 Sep 2023 22:33:44 +0000 Subject: [PATCH 460/464] fs/xfs: Incorrect short form directory data boundary check After parsing of the current entry, the entry pointer is advanced to the next entry at the end of the "for" loop. In case where the last entry is at the end of the data boundary, the advanced entry pointer can point off the data boundary. The subsequent boundary check for the advanced entry pointer can cause a failure. The fix is to include the boundary check into the "for" loop condition. Signed-off-by: Lidong Chen Reviewed-by: Daniel Kiper Tested-by: Sebastian Andrzej Siewior Tested-by: Marta Lewandowska --- grub-core/fs/xfs.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c index 8cf41d07c2ee..a779eb6b8334 100644 --- a/grub-core/fs/xfs.c +++ b/grub-core/fs/xfs.c @@ -836,7 +836,8 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir, if (iterate_dir_call_hook (parent, "..", &ctx)) return 1; - for (i = 0; i < head->count; i++) + for (i = 0; i < head->count && + (grub_uint8_t *) de < ((grub_uint8_t *) dir + grub_xfs_fshelp_size (dir->data)); i++) { grub_uint64_t ino; grub_uint8_t *inopos = grub_xfs_inline_de_inopos(dir->data, de); @@ -871,10 +872,6 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir, de->name[de->len] = c; de = grub_xfs_inline_next_de(dir->data, head, de); - - if ((grub_uint8_t *) de >= (grub_uint8_t *) dir + grub_xfs_fshelp_size (dir->data)) - return grub_error (GRUB_ERR_BAD_FS, "invalid XFS directory entry"); - } break; } -- 2.46.1