1From b5bc456f664bc301ab4cd5a17d3d23c6661c259e Mon Sep 17 00:00:00 2001 2From: Daniel Axtens <dja@axtens.net> 3Date: Mon, 18 Jan 2021 11:46:39 +1100 4Subject: [PATCH] fs/fshelp: Catch impermissibly large block sizes in read 5 helper 6 7A fuzzed HFS+ filesystem had log2blocksize = 22. This gave 8log2blocksize + GRUB_DISK_SECTOR_BITS = 31. 1 << 31 = 0x80000000, 9which is -1 as an int. This caused some wacky behavior later on in 10the function, leading to out-of-bounds writes on the destination buffer. 11 12Catch log2blocksize + GRUB_DISK_SECTOR_BITS >= 31. We could be stricter, 13but this is the minimum that will prevent integer size weirdness. 14 15Signed-off-by: Daniel Axtens <dja@axtens.net> 16Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 17Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 18--- 19 grub-core/fs/fshelp.c | 12 ++++++++++++ 20 1 file changed, 12 insertions(+) 21 22diff --git a/grub-core/fs/fshelp.c b/grub-core/fs/fshelp.c 23index 4c902ad..a2d0d29 100644 24--- a/grub-core/fs/fshelp.c 25+++ b/grub-core/fs/fshelp.c 26@@ -362,6 +362,18 @@ grub_fshelp_read_file (grub_disk_t disk, grub_fshelp_node_t node, 27 grub_disk_addr_t i, blockcnt; 28 int blocksize = 1 << (log2blocksize + GRUB_DISK_SECTOR_BITS); 29 30+ /* 31+ * Catch blatantly invalid log2blocksize. We could be a lot stricter, but 32+ * this is the most permissive we can be before we start to see integer 33+ * overflow/underflow issues. 34+ */ 35+ if (log2blocksize + GRUB_DISK_SECTOR_BITS >= 31) 36+ { 37+ grub_error (GRUB_ERR_OUT_OF_RANGE, 38+ N_("blocksize too large")); 39+ return -1; 40+ } 41+ 42 if (pos > filesize) 43 { 44 grub_error (GRUB_ERR_OUT_OF_RANGE, 45-- 462.14.2 47 48