From 3e8a58128890ce5f7c3547fe08db7fb3ce4298f5 Mon Sep 17 00:00:00 2001 From: Nicolas Frayer Date: Mon, 15 Apr 2024 11:05:24 +0200 Subject: [PATCH] fs/xfs: Handle non-continuous data blocks in directory extents Related: #2254370 Signed-off-by: Nicolas Frayer --- ...n-continuous-data-blocks-in-director.patch | 54 +++++++++++++++++++ grub.patches | 1 + grub2.spec | 6 ++- 3 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 0360-fs-xfs-Handle-non-continuous-data-blocks-in-director.patch diff --git a/0360-fs-xfs-Handle-non-continuous-data-blocks-in-director.patch b/0360-fs-xfs-Handle-non-continuous-data-blocks-in-director.patch new file mode 100644 index 0000000..a3ed1a8 --- /dev/null +++ b/0360-fs-xfs-Handle-non-continuous-data-blocks-in-director.patch @@ -0,0 +1,54 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jon DeVree +Date: Sun, 11 Feb 2024 10:34:58 -0500 +Subject: [PATCH] fs/xfs: Handle non-continuous data blocks in directory + extents + +The directory extent list does not have to be a continuous list of data +blocks. When GRUB tries to read a non-existant member of the list, +grub_xfs_read_file() will return a block of zero'ed memory. Checking for +a zero'ed magic number is sufficient to skip this non-existant data block. + +Prior to commit 07318ee7e (fs/xfs: Fix XFS directory extent parsing) +this was handled as a subtle side effect of reading the (non-existant) +tail data structure. Since the block was zero'ed the computation of the +number of directory entries in the block would return 0 as well. + +Fixes: 07318ee7e (fs/xfs: Fix XFS directory extent parsing) +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2254370 + +Signed-off-by: Jon DeVree +Reviewed-By: Vladimir Serbinenko +Reviewed-by: Daniel Kiper +--- + grub-core/fs/xfs.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c +index bc2224dbb463..8e02ab4a3014 100644 +--- a/grub-core/fs/xfs.c ++++ b/grub-core/fs/xfs.c +@@ -902,6 +902,7 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir, + grub_xfs_first_de(dir->data, dirblock); + int entries = -1; + char *end = dirblock + dirblk_size; ++ grub_uint32_t magic; + + numread = grub_xfs_read_file (dir, 0, 0, + blk << dirblk_log2, +@@ -912,6 +913,15 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir, + return 0; + } + ++ /* ++ * If this data block isn't actually part of the extent list then ++ * grub_xfs_read_file() returns a block of zeros. So, if the magic ++ * number field is all zeros then this block should be skipped. ++ */ ++ magic = *(grub_uint32_t *)(void *) dirblock; ++ if (!magic) ++ continue; ++ + /* + * Leaf and tail information are only in the data block if the number + * of extents is 1. diff --git a/grub.patches b/grub.patches index 4c67480..0a8b331 100644 --- a/grub.patches +++ b/grub.patches @@ -357,3 +357,4 @@ Patch0356: 0356-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch Patch0357: 0357-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch Patch0358: 0358-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch Patch0359: 0359-fs-ntfs-Make-code-more-readable.patch +Patch0360: 0360-fs-xfs-Handle-non-continuous-data-blocks-in-director.patch diff --git a/grub2.spec b/grub2.spec index a3d8f26..1f80842 100644 --- a/grub2.spec +++ b/grub2.spec @@ -17,7 +17,7 @@ Name: grub2 Epoch: 1 Version: 2.06 -Release: 120%{?dist} +Release: 121%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPL-3.0-or-later URL: http://www.gnu.org/software/grub/ @@ -554,6 +554,10 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog +* Fri Apr 12 2024 Nicolas Frayer - 2.06-121 +- fs/xfs: Handle non-continuous data blocks in directory extents +- Related: #2254370 + * Fri Mar 8 2024 Nicolas Frayer - 2.06-120 - GRUB2 NTFS driver vulnerabilities - (CVE-2023-4692)