grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2 1/1] fs/udf: Fix out of bounds access

From: Lidong Chen
Subject: [PATCH v2 1/1] fs/udf: Fix out of bounds access
Date: Wed, 7 Jun 2023 01:31:06 +0000 
Implemented a boundary check before advancing the allocation
descriptors pointer.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/fs/udf.c | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
index 7679ea309..58884d2ba 100644
--- a/grub-core/fs/udf.c
+++ b/grub-core/fs/udf.c
@@ -114,6 +114,10 @@ GRUB_MOD_LICENSE ("GPLv3+");
 #define GRUB_UDF_PARTMAP_TYPE_1                1
 #define GRUB_UDF_PARTMAP_TYPE_2                2
 
+#define GRUB_UDF_INVALID_STRUCT_PTR(_ptr, _struct)     \
+  ((char *) (_ptr) >= end_ptr || \
+   ((grub_ssize_t)(end_ptr - (char*)(_ptr)) < (grub_ssize_t)sizeof(_struct)))
+
 struct grub_udf_lb_addr
 {
   grub_uint32_t block_num;
@@ -458,6 +462,7 @@ grub_udf_read_block (grub_fshelp_node_t node, 
grub_disk_addr_t fileblock)
   char *ptr;
   grub_ssize_t len;
   grub_disk_addr_t filebytes;
+  char *end_ptr;
 
   switch (U16 (node->block.fe.tag.tag_ident))
     {
@@ -476,9 +481,17 @@ grub_udf_read_block (grub_fshelp_node_t node, 
grub_disk_addr_t fileblock)
       return 0;
     }
 
+  end_ptr = (char *) node + get_fshelp_size (node->data);
+
   if ((U16 (node->block.fe.icbtag.flags) & GRUB_UDF_ICBTAG_FLAG_AD_MASK)
       == GRUB_UDF_ICBTAG_FLAG_AD_SHORT)
     {
+      if (GRUB_UDF_INVALID_STRUCT_PTR(ptr, struct grub_udf_short_ad))
+       {
+         grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system");
+         return 0;
+       }
+
       struct grub_udf_short_ad *ad = (struct grub_udf_short_ad *) ptr;
 
       filebytes = fileblock * U32 (node->data->lvd.bsize);
@@ -542,10 +555,22 @@ grub_udf_read_block (grub_fshelp_node_t node, 
grub_disk_addr_t fileblock)
          filebytes -= adlen;
          ad++;
          len -= sizeof (struct grub_udf_short_ad);
+
+         if (GRUB_UDF_INVALID_STRUCT_PTR(ad, struct grub_udf_short_ad))
+           {
+             grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system");
+             return 0;
+           }
        }
     }
   else
     {
+      if (GRUB_UDF_INVALID_STRUCT_PTR(ptr, struct grub_udf_long_ad))
+       {
+         grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system");
+         return 0;
+       }
+
       struct grub_udf_long_ad *ad = (struct grub_udf_long_ad *) ptr;
 
       filebytes = fileblock * U32 (node->data->lvd.bsize);
@@ -611,6 +636,12 @@ grub_udf_read_block (grub_fshelp_node_t node, 
grub_disk_addr_t fileblock)
          filebytes -= adlen;
          ad++;
          len -= sizeof (struct grub_udf_long_ad);
+
+         if (GRUB_UDF_INVALID_STRUCT_PTR(ad, struct grub_udf_long_ad))
+           {
+             grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system");
+             return 0;
+           }
        }
     }
 
@@ -630,6 +661,7 @@ grub_udf_read_file (grub_fshelp_node_t node,
     case GRUB_UDF_ICBTAG_FLAG_AD_IN_ICB:
       {
        char *ptr;
+       char *end_ptr = (char *) node + get_fshelp_size (node->data);
 
        ptr = ((U16 (node->block.fe.tag.tag_ident) == GRUB_UDF_TAG_IDENT_FE) ?
               ((char *) &node->block.fe.ext_attr[0]
@@ -637,6 +669,12 @@ grub_udf_read_file (grub_fshelp_node_t node,
               ((char *) &node->block.efe.ext_attr[0]
                 + U32 (node->block.efe.ext_attr_length)));
 
+       if ((ptr + pos + len) > end_ptr)
+         {
+           grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system");
+           return 0;
+         }
+
        grub_memcpy (buf, ptr + pos, len);
 
        return len;
-- 
2.39.1
reply via email to
[Prev in Thread] Current Thread [Next in Thread]