From: Jagannathan Raman <jag.raman@oracle.com>
To: grub-devel@gnu.org
Cc: daniel.kiper@oracle.com, darren.kenny@oracle.com,
ross.philipson@oracle.com, alec.r.brown@oracle.com
Subject: [PATCH 1/1] fs/udf: validate length of AED in grub_udf_read_block()
Date: Thu, 17 Nov 2022 00:17:52 +0000 [thread overview]
Message-ID: <ad9409d1c408ba59b099261cad74d6644ddabf03.1668644102.git.jag.raman@oracle.com> (raw)
In-Reply-To: <cover.1668644102.git.jag.raman@oracle.com>
Validate the length of Allocation Extent Descriptor in
grub_udf_read_block(), based on the details in UDF spec. v2.01 section
2.3.11
Fixes: CID 314037
Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
---
grub-core/fs/udf.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
index 12e88ab62..d19fa3987 100644
--- a/grub-core/fs/udf.c
+++ b/grub-core/fs/udf.c
@@ -510,6 +510,20 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
}
len = U32 (extension->ae_len);
+ /*
+ * Ensure AE length is less than block size
+ * per UDF spec v2.01 section 2.3.11
+ *
+ * node->data->lbshift is initialized by
+ * grub_udf_mount(). lbshift has a maximum value
+ * of 3 and it does not cause an overflow here.
+ */
+ if (len < 0 || len > ((grub_ssize_t) 1 << node->data->lbshift))
+ {
+ grub_error (GRUB_ERR_BAD_FS, "invalid ae length");
+ goto fail;
+ }
+
ad = (struct grub_udf_short_ad *)
(buf + sizeof (struct grub_udf_aed));
continue;
@@ -563,6 +577,20 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
}
len = U32 (extension->ae_len);
+ /*
+ * Ensure AE length is less than block size
+ * per UDF spec v2.01 section 2.3.11
+ *
+ * node->data->lbshift is initialized by
+ * grub_udf_mount(). lbshift has a maximum value
+ * of 3 and it does not cause an overflow here.
+ */
+ if (len < 0 || len > ((grub_ssize_t) 1 << node->data->lbshift))
+ {
+ grub_error (GRUB_ERR_BAD_FS, "invalid ae length");
+ goto fail;
+ }
+
ad = (struct grub_udf_long_ad *)
(buf + sizeof (struct grub_udf_aed));
continue;
--
2.20.1
next prev parent reply other threads:[~2022-11-17 0:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-17 0:17 [PATCH 0/1] Fix for CID 314037 Jagannathan Raman
2022-11-17 0:17 ` Jagannathan Raman [this message]
2022-11-23 14:52 ` [PATCH 1/1] fs/udf: validate length of AED in grub_udf_read_block() Daniel Kiper
2022-11-23 15:20 ` Jag Raman
2022-11-23 16:10 ` Daniel Kiper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ad9409d1c408ba59b099261cad74d6644ddabf03.1668644102.git.jag.raman@oracle.com \
--to=jag.raman@oracle.com \
--cc=alec.r.brown@oracle.com \
--cc=daniel.kiper@oracle.com \
--cc=darren.kenny@oracle.com \
--cc=grub-devel@gnu.org \
--cc=ross.philipson@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.