xref: /OK3568_Linux_fs/buildroot/boot/grub2/0110-fs-jfs-Catch-infinite-recursion.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593SmuzhiyunFrom 223120dd83745126cb232a0248c9a8901d7e350d Mon Sep 17 00:00:00 2001
2*4882a593SmuzhiyunFrom: Daniel Axtens <dja@axtens.net>
3*4882a593SmuzhiyunDate: Mon, 18 Jan 2021 15:47:24 +1100
4*4882a593SmuzhiyunSubject: [PATCH] fs/jfs: Catch infinite recursion
5*4882a593Smuzhiyun
6*4882a593SmuzhiyunIt's possible with a fuzzed filesystem for JFS to keep getblk()-ing
7*4882a593Smuzhiyunthe same data over and over again, leading to stack exhaustion.
8*4882a593Smuzhiyun
9*4882a593SmuzhiyunCheck if we'd be calling the function with exactly the same data as
10*4882a593Smuzhiyunwas passed in, and if so abort.
11*4882a593Smuzhiyun
12*4882a593SmuzhiyunI'm not sure what the performance impact of this is and am open to
13*4882a593Smuzhiyunbetter ideas.
14*4882a593Smuzhiyun
15*4882a593SmuzhiyunSigned-off-by: Daniel Axtens <dja@axtens.net>
16*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
17*4882a593SmuzhiyunSigned-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
18*4882a593Smuzhiyun---
19*4882a593Smuzhiyun grub-core/fs/jfs.c | 11 ++++++++++-
20*4882a593Smuzhiyun 1 file changed, 10 insertions(+), 1 deletion(-)
21*4882a593Smuzhiyun
22*4882a593Smuzhiyundiff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
23*4882a593Smuzhiyunindex 804c42d..6f7c439 100644
24*4882a593Smuzhiyun--- a/grub-core/fs/jfs.c
25*4882a593Smuzhiyun+++ b/grub-core/fs/jfs.c
26*4882a593Smuzhiyun@@ -304,7 +304,16 @@ getblk (struct grub_jfs_treehead *treehead,
27*4882a593Smuzhiyun 			   << (grub_le_to_cpu16 (data->sblock.log2_blksz)
28*4882a593Smuzhiyun 			       - GRUB_DISK_SECTOR_BITS), 0,
29*4882a593Smuzhiyun 			   sizeof (*tree), (char *) tree))
30*4882a593Smuzhiyun-	ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
31*4882a593Smuzhiyun+	{
32*4882a593Smuzhiyun+	  if (grub_memcmp (&tree->treehead, treehead, sizeof (struct grub_jfs_treehead)) ||
33*4882a593Smuzhiyun+	      grub_memcmp (&tree->extents, extents, 254 * sizeof (struct grub_jfs_tree_extent)))
34*4882a593Smuzhiyun+	    ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
35*4882a593Smuzhiyun+	  else
36*4882a593Smuzhiyun+	    {
37*4882a593Smuzhiyun+	      grub_error (GRUB_ERR_BAD_FS, "jfs: infinite recursion detected");
38*4882a593Smuzhiyun+	      ret = -1;
39*4882a593Smuzhiyun+	    }
40*4882a593Smuzhiyun+	}
41*4882a593Smuzhiyun       grub_free (tree);
42*4882a593Smuzhiyun       return ret;
43*4882a593Smuzhiyun     }
44*4882a593Smuzhiyun--
45*4882a593Smuzhiyun2.14.2
46*4882a593Smuzhiyun
47