fs/nilfs2: Reject too-large keys

NILFS2 has up to 7 keys, per the data structure. Do not permit array
indices in excess of that.

This catches some OOB reads. I don't know how controllable the invalidly
read data is or if that could be used later in the program.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c
index 082326f38beda2283f90432caf27dd89fda0bd30..20053caf5ec79f9b0c14036e9c2e4790548b8510 100644 (file)
--- a/grub-core/fs/nilfs2.c
+++ b/grub-core/fs/nilfs2.c
@@ -569,6 +569,11 @@ grub_nilfs2_btree_lookup (struct grub_nilfs2_data *data,
 static inline grub_uint64_t
 grub_nilfs2_direct_lookup (struct grub_nilfs2_inode *inode, grub_uint64_t key)
 {
+  if (1 + key > 6)
+    {
+      grub_error (GRUB_ERR_BAD_FS, "key is too large");
+      return 0xffffffffffffffff;
+    }
   return grub_le_to_cpu64 (inode->i_bmap[1 + key]);
 }
 
@@ -584,7 +589,7 @@ grub_nilfs2_bmap_lookup (struct grub_nilfs2_data *data,
     {
       grub_uint64_t ptr;
       ptr = grub_nilfs2_direct_lookup (inode, key);
-      if (need_translate)
+      if (ptr != ((grub_uint64_t) 0xffffffffffffffff) && need_translate)
        ptr = grub_nilfs2_dat_translate (data, ptr);
       return ptr;
     }