fs/xfs: Fix out-of-bounds read

The number of records in the root key array read from disk was not being
validated against the size of the root node. This could lead to an
out-of-bounds read.

This patch adds a check to ensure that the number of records in the root
key array does not exceed the expected size of a root node read from
disk. If this check detects an out-of-bounds condition the operation is
aborted to prevent random errors due to metadata corruption.

Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
index 8e02ab4a3014246fbc6c6a67c6eaa3a00bc6578f..82ea33f4061232e6b84f6d16fec76020789eb674 100644 (file)
--- a/grub-core/fs/xfs.c
+++ b/grub-core/fs/xfs.c
@@ -595,6 +595,17 @@ grub_xfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
       do
         {
           grub_uint64_t i;
+         grub_addr_t keys_end, data_end;
+
+         if (grub_mul (sizeof (grub_uint64_t), nrec, &keys_end) ||
+             grub_add ((grub_addr_t) keys, keys_end, &keys_end) ||
+             grub_add ((grub_addr_t) node->data, node->data->data_size, &data_end) ||
+             keys_end > data_end)
+           {
+             grub_error (GRUB_ERR_BAD_FS, "invalid number of XFS root keys");
+             grub_free (leaf);
+             return 0;
+           }
 
           for (i = 0; i < nrec; i++)
             {