1From 223120dd83745126cb232a0248c9a8901d7e350d Mon Sep 17 00:00:00 2001 2From: Daniel Axtens <dja@axtens.net> 3Date: Mon, 18 Jan 2021 15:47:24 +1100 4Subject: [PATCH] fs/jfs: Catch infinite recursion 5 6It's possible with a fuzzed filesystem for JFS to keep getblk()-ing 7the same data over and over again, leading to stack exhaustion. 8 9Check if we'd be calling the function with exactly the same data as 10was passed in, and if so abort. 11 12I'm not sure what the performance impact of this is and am open to 13better ideas. 14 15Signed-off-by: Daniel Axtens <dja@axtens.net> 16Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 17Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 18--- 19 grub-core/fs/jfs.c | 11 ++++++++++- 20 1 file changed, 10 insertions(+), 1 deletion(-) 21 22diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c 23index 804c42d..6f7c439 100644 24--- a/grub-core/fs/jfs.c 25+++ b/grub-core/fs/jfs.c 26@@ -304,7 +304,16 @@ getblk (struct grub_jfs_treehead *treehead, 27 << (grub_le_to_cpu16 (data->sblock.log2_blksz) 28 - GRUB_DISK_SECTOR_BITS), 0, 29 sizeof (*tree), (char *) tree)) 30- ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk); 31+ { 32+ if (grub_memcmp (&tree->treehead, treehead, sizeof (struct grub_jfs_treehead)) || 33+ grub_memcmp (&tree->extents, extents, 254 * sizeof (struct grub_jfs_tree_extent))) 34+ ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk); 35+ else 36+ { 37+ grub_error (GRUB_ERR_BAD_FS, "jfs: infinite recursion detected"); 38+ ret = -1; 39+ } 40+ } 41 grub_free (tree); 42 return ret; 43 } 44-- 452.14.2 46 47