All of lore.kernel.org
 help / color / mirror / Atom feed
From: Daniel Kiper <daniel.kiper@oracle.com>
To: grub-devel@gnu.org
Subject: [SECURITY PATCH 30/30] fs/btrfs: Fix more fuzz issues related to chunks
Date: Tue,  7 Jun 2022 19:01:39 +0200	[thread overview]
Message-ID: <20220607170139.19968-30-daniel.kiper@oracle.com> (raw)
In-Reply-To: <20220607170032.cnhkkxtnsvrzg6te@tomti.i.net-space.pl>

From: Darren Kenny <darren.kenny@oracle.com>

The corpus was generating issues in grub_btrfs_read_logical() when
attempting to iterate over stripe entries in the superblock's
bootmapping.

In most cases the reason for the failure was that the number of stripes
in chunk->nstripes exceeded the possible space statically allocated in
superblock bootmapping space. Each stripe entry in the bootmapping block
consists of a grub_btrfs_key followed by a grub_btrfs_chunk_stripe.

Another issue that came up was that while calculating the chunk size,
in an earlier piece of code in that function, depending on the data
provided in the btrfs file system, it would end up calculating a size
that was too small to contain even 1 grub_btrfs_chunk_item, which is
obviously invalid too.

Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/fs/btrfs.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
index 73b230632..ec72f7be3 100644
--- a/grub-core/fs/btrfs.c
+++ b/grub-core/fs/btrfs.c
@@ -918,6 +918,17 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
 	  return grub_error (GRUB_ERR_BAD_FS,
 			     "got an invalid zero-size chunk");
 	}
+
+      /*
+       * The space being allocated for a chunk should at least be able to
+       * contain one chunk item.
+       */
+      if (chsize < sizeof (struct grub_btrfs_chunk_item))
+       {
+         grub_dprintf ("btrfs", "chunk-size too small\n");
+         return grub_error (GRUB_ERR_BAD_FS,
+                            "got an invalid chunk size");
+       }
       chunk = grub_malloc (chsize);
       if (!chunk)
 	return grub_errno;
@@ -1165,6 +1176,13 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
 	if (csize > (grub_uint64_t) size)
 	  csize = size;
 
+	/*
+	 * The space for a chunk stripe is limited to the space provide in the super-block's
+	 * bootstrap mapping with an initial btrfs key at the start of each chunk.
+	 */
+	grub_size_t avail_stripes = sizeof (data->sblock.bootstrap_mapping) /
+	  (sizeof (struct grub_btrfs_key) + sizeof (struct grub_btrfs_chunk_stripe));
+
 	for (j = 0; j < 2; j++)
 	  {
 	    grub_size_t est_chunk_alloc = 0;
@@ -1191,6 +1209,12 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
 		break;
 	      }
 
+	   if (grub_le_to_cpu16 (chunk->nstripes) > avail_stripes)
+             {
+               err = GRUB_ERR_BAD_FS;
+               break;
+             }
+
 	    if (is_raid56)
 	      {
 		err = btrfs_read_from_chunk (data, chunk, stripen,
-- 
2.11.0



      parent reply	other threads:[~2022-06-07 17:02 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-06-07 17:00 [SECURITY PATCH 00/30] Multiple GRUB2 vulnerabilities - 2022/06/07 round Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 01/30] loader/efi/chainloader: Simplify the loader state Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 02/30] commands/boot: Add API to pass context to loader Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 03/30] loader/efi/chainloader: Use grub_loader_set_ex() Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 04/30] kern/efi/sb: Reject non-kernel files in the shim_lock verifier Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 05/30] kern/file: Do not leak device_name on error in grub_file_open() Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 06/30] video/readers/png: Abort sooner if a read operation fails Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 07/30] video/readers/png: Refuse to handle multiple image headers Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 08/30] video/readers/png: Drop greyscale support to fix heap out-of-bounds write Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 09/30] video/readers/png: Avoid heap OOB R/W inserting huff table items Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 10/30] video/readers/png: Sanity check some huffman codes Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 11/30] video/readers/jpeg: Abort sooner if a read operation fails Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 12/30] video/readers/jpeg: Do not reallocate a given huff table Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 13/30] video/readers/jpeg: Refuse to handle multiple start of streams Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 14/30] video/readers/jpeg: Block int underflow -> wild pointer write Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 15/30] normal/charset: Fix array out-of-bounds formatting unicode for display Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 16/30] net/ip: Do IP fragment maths safely Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 17/30] net/netbuff: Block overly large netbuff allocs Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 18/30] net/dns: Fix double-free addresses on corrupt DNS response Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 19/30] net/dns: Don't read past the end of the string we're checking against Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 20/30] net/tftp: Prevent a UAF and double-free from a failed seek Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 21/30] net/tftp: Avoid a trivial UAF Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 22/30] net/http: Do not tear down socket if it's already been torn down Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 23/30] net/http: Fix OOB write for split http headers Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 24/30] net/http: Error out on headers with LF without CR Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 25/30] fs/f2fs: Do not read past the end of nat journal entries Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 26/30] fs/f2fs: Do not read past the end of nat bitmap Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 27/30] fs/f2fs: Do not copy file names that are too long Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 28/30] fs/btrfs: Fix several fuzz issues with invalid dir item sizing Daniel Kiper
2022-06-07 17:01 ` [SECURITY PATCH 29/30] fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing Daniel Kiper
2022-06-07 17:01 ` Daniel Kiper [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220607170139.19968-30-daniel.kiper@oracle.com \
    --to=daniel.kiper@oracle.com \
    --cc=grub-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.