52 lines
1.8 KiB
Diff
52 lines
1.8 KiB
Diff
From 270099a784d7dc0d251a8be1fed57e55f4dd4f8f Mon Sep 17 00:00:00 2001
|
|
From: Lidong Chen <lidong.chen@oracle.com>
|
|
Date: Thu, 28 Sep 2023 22:33:44 +0000
|
|
Subject: [PATCH 460/464] fs/xfs: Incorrect short form directory data boundary
|
|
check
|
|
|
|
After parsing of the current entry, the entry pointer is advanced
|
|
to the next entry at the end of the "for" loop. In case where the
|
|
last entry is at the end of the data boundary, the advanced entry
|
|
pointer can point off the data boundary. The subsequent boundary
|
|
check for the advanced entry pointer can cause a failure.
|
|
|
|
The fix is to include the boundary check into the "for" loop
|
|
condition.
|
|
|
|
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
Tested-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
|
|
Tested-by: Marta Lewandowska <mlewando@redhat.com>
|
|
---
|
|
grub-core/fs/xfs.c | 7 ++-----
|
|
1 file changed, 2 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
|
|
index 8cf41d07c2ee..a779eb6b8334 100644
|
|
--- a/grub-core/fs/xfs.c
|
|
+++ b/grub-core/fs/xfs.c
|
|
@@ -836,7 +836,8 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
|
|
if (iterate_dir_call_hook (parent, "..", &ctx))
|
|
return 1;
|
|
|
|
- for (i = 0; i < head->count; i++)
|
|
+ for (i = 0; i < head->count &&
|
|
+ (grub_uint8_t *) de < ((grub_uint8_t *) dir + grub_xfs_fshelp_size (dir->data)); i++)
|
|
{
|
|
grub_uint64_t ino;
|
|
grub_uint8_t *inopos = grub_xfs_inline_de_inopos(dir->data, de);
|
|
@@ -871,10 +872,6 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
|
|
de->name[de->len] = c;
|
|
|
|
de = grub_xfs_inline_next_de(dir->data, head, de);
|
|
-
|
|
- if ((grub_uint8_t *) de >= (grub_uint8_t *) dir + grub_xfs_fshelp_size (dir->data))
|
|
- return grub_error (GRUB_ERR_BAD_FS, "invalid XFS directory entry");
|
|
-
|
|
}
|
|
break;
|
|
}
|
|
--
|
|
2.46.1
|
|
|