[PATCH 1/1] fs/xfs: Incorrect short form directory data boundary check

From: Lidong Chen <lidong.chen@oracle.com>
To: grub-devel@gnu.org
Cc: daniel.kiper@oracle.com, lidong.chen@oracle.com
Subject: [PATCH 1/1] fs/xfs: Incorrect short form directory data boundary check
Date: Thu, 28 Sep 2023 22:33:44 +0000	[thread overview]
Message-ID: <20230928223344.4027957-1-lidong.chen@oracle.com> (raw)

After parsing of the current entry, the entry pointer is advanced
to the next entry at the end of the 'for' loop. In case where the
last entry is at the end of the data boundary, the advanced entry
pointer can point off the data boundary. The subsequent boundary
check for the advanced entry pointer can cause a failure.

The fix is to include the boundary check into the 'for' loop
condition.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
---
 grub-core/fs/xfs.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
index b91cd32b4..ebf962793 100644
--- a/grub-core/fs/xfs.c
+++ b/grub-core/fs/xfs.c
@@ -810,7 +810,8 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
 	if (iterate_dir_call_hook (parent, "..", &ctx))
 	  return 1;
 
-	for (i = 0; i < head->count; i++)
+	for (i = 0; i < head->count &&
+	     (grub_uint8_t *) de < ((grub_uint8_t *) dir + grub_xfs_fshelp_size (dir->data)); i++)
 	  {
 	    grub_uint64_t ino;
 	    grub_uint8_t *inopos = grub_xfs_inline_de_inopos(dir->data, de);
@@ -845,10 +846,6 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
 	    de->name[de->len] = c;
 
 	    de = grub_xfs_inline_next_de(dir->data, head, de);
-
-	    if ((grub_uint8_t *) de >= (grub_uint8_t *) dir + grub_xfs_fshelp_size (dir->data))
-	      return grub_error (GRUB_ERR_BAD_FS, "invalid XFS directory entry");
-
 	  }
 	break;
       }
-- 
2.30.2


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
