From 223120dd83745126cb232a0248c9a8901d7e350d Mon Sep 17 00:00:00 2001 From: Daniel Axtens Date: Mon, 18 Jan 2021 15:47:24 +1100 Subject: [PATCH] fs/jfs: Catch infinite recursion It's possible with a fuzzed filesystem for JFS to keep getblk()-ing the same data over and over again, leading to stack exhaustion. Check if we'd be calling the function with exactly the same data as was passed in, and if so abort. I'm not sure what the performance impact of this is and am open to better ideas. Signed-off-by: Daniel Axtens Reviewed-by: Daniel Kiper Signed-off-by: Stefan Sørensen --- grub-core/fs/jfs.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c index 804c42d..6f7c439 100644 --- a/grub-core/fs/jfs.c +++ b/grub-core/fs/jfs.c @@ -304,7 +304,16 @@ getblk (struct grub_jfs_treehead *treehead, << (grub_le_to_cpu16 (data->sblock.log2_blksz) - GRUB_DISK_SECTOR_BITS), 0, sizeof (*tree), (char *) tree)) - ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk); + { + if (grub_memcmp (&tree->treehead, treehead, sizeof (struct grub_jfs_treehead)) || + grub_memcmp (&tree->extents, extents, 254 * sizeof (struct grub_jfs_tree_extent))) + ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk); + else + { + grub_error (GRUB_ERR_BAD_FS, "jfs: infinite recursion detected"); + ret = -1; + } + } grub_free (tree); return ret; } -- 2.14.2