From bb9ff31641b00a8abd79feb37a845a1d4066b9bb Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Tue, 26 Oct 2021 15:02:39 +0000
Subject: [PATCH] fs/zfs/zfs: Fix possible insecure use of chunk size in
 zap_leaf_array_get()

In zap_leaf_array_get() the chunk size passed in is considered tainted
by Coverity, and is being used before it is tested for validity. To fix
this the assignment of "la" is moved until after the test of the value
of "chunk".

Fixes: CID 314014

Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/fs/zfs/zfs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
index 44e4e1814..e9d7a7d0e 100644
--- a/grub-core/fs/zfs/zfs.c
+++ b/grub-core/fs/zfs/zfs.c
@@ -2229,7 +2229,7 @@ zap_leaf_array_get (zap_leaf_phys_t * l, grub_zfs_endian_t endian, int blksft,
 
   while (bseen < array_len)
     {
-      struct zap_leaf_array *la = &ZAP_LEAF_CHUNK (l, blksft, chunk)->l_array;
+      struct zap_leaf_array *la;
       grub_size_t toread = array_len - bseen;
 
       if (toread > ZAP_LEAF_ARRAY_BYTES)
@@ -2239,6 +2239,7 @@ zap_leaf_array_get (zap_leaf_phys_t * l, grub_zfs_endian_t endian, int blksft,
 	/* Don't use grub_error because this error is to be ignored.  */
 	return GRUB_ERR_BAD_FS;
 
+      la = &ZAP_LEAF_CHUNK (l, blksft, chunk)->l_array;
       grub_memcpy (buf + bseen,la->la_array,  toread);
       chunk = grub_zfs_to_cpu16 (la->la_next, endian);
       bseen += toread;
-- 
2.47.3