fs/jfs: Catch infinite recursion

It's possible with a fuzzed filesystem for JFS to keep getblk()-ing the same data over and over again, leading to stack exhaustion. Check if we'd be calling the function with exactly the same data as was passed in, and if so abort. I'm not sure what the performance impact of this is and am open to better ideas. Signed-off-by: Daniel Axtens <dja@axtens.net> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2021-01-18 15:47:24 +11:00 · 2021-01-18 15:47:24 +11:00 · 223120dd83
commit 223120dd83
parent bd0cf8148c
1 changed files with 10 additions and 1 deletions
--- a/grub-core/fs/jfs.c
+++ b/grub-core/fs/jfs.c
@ -304,7 +304,16 @@ getblk (struct grub_jfs_treehead *treehead,
 			   << (grub_le_to_cpu16 (data->sblock.log2_blksz)
 			       - GRUB_DISK_SECTOR_BITS), 0,
 			   sizeof (*tree), (char *) tree))
-	ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
+	{
+	  if (grub_memcmp (&tree->treehead, treehead, sizeof (struct grub_jfs_treehead)) ||
+	      grub_memcmp (&tree->extents, extents, 254 * sizeof (struct grub_jfs_tree_extent)))
+	    ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
+	  else
+	    {
+	      grub_error (GRUB_ERR_BAD_FS, "jfs: infinite recursion detected");
+	      ret = -1;
+	    }
+	}
      grub_free (tree);
      return ret;
    }