fs/btrfs: Fix more fuzz issues related to chunks

The corpus was generating issues in grub_btrfs_read_logical() when
attempting to iterate over stripe entries in the superblock's
bootmapping.

In most cases the reason for the failure was that the number of stripes
in chunk->nstripes exceeded the possible space statically allocated in
superblock bootmapping space. Each stripe entry in the bootmapping block
consists of a grub_btrfs_key followed by a grub_btrfs_chunk_stripe.

Another issue that came up was that while calculating the chunk size,
in an earlier piece of code in that function, depending on the data
provided in the btrfs file system, it would end up calculating a size
that was too small to contain even 1 grub_btrfs_chunk_item, which is
obviously invalid too.

Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
index 73b23063236c0ebd57a8a805b964f31125897fdc..ec72f7be36d90e0f72215cbfa871160f045ffe68 100644 (file)
--- a/grub-core/fs/btrfs.c
+++ b/grub-core/fs/btrfs.c
@@ -918,6 +918,17 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
          return grub_error (GRUB_ERR_BAD_FS,
                             "got an invalid zero-size chunk");
        }
+
+      /*
+       * The space being allocated for a chunk should at least be able to
+       * contain one chunk item.
+       */
+      if (chsize < sizeof (struct grub_btrfs_chunk_item))
+       {
+         grub_dprintf ("btrfs", "chunk-size too small\n");
+         return grub_error (GRUB_ERR_BAD_FS,
+                            "got an invalid chunk size");
+       }
       chunk = grub_malloc (chsize);
       if (!chunk)
        return grub_errno;
@@ -1165,6 +1176,13 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
        if (csize > (grub_uint64_t) size)
          csize = size;
 
+       /*
+        * The space for a chunk stripe is limited to the space provide in the super-block's
+        * bootstrap mapping with an initial btrfs key at the start of each chunk.
+        */
+       grub_size_t avail_stripes = sizeof (data->sblock.bootstrap_mapping) /
+         (sizeof (struct grub_btrfs_key) + sizeof (struct grub_btrfs_chunk_stripe));
+
        for (j = 0; j < 2; j++)
          {
            grub_size_t est_chunk_alloc = 0;
@@ -1191,6 +1209,12 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
                break;
              }
 
+          if (grub_le_to_cpu16 (chunk->nstripes) > avail_stripes)
+             {
+               err = GRUB_ERR_BAD_FS;
+               break;
+             }
+
            if (is_raid56)
              {
                err = btrfs_read_from_chunk (data, chunk, stripen,