Steve McIntyre <st...@einval.com> writes:
> Hi all!
>
> программист некто (in CC) reported this bug a few weeks back in
> Debian. Since I applied the bundle of filesystem bounds-checking fixes
> a few months back, he can't run grub-install. He's done the work to
> determine that the patch that breaks things for him is
>
> 2d014248d540c7e087934a94b6e7a2aa7fc2c704 fs/f2fs: Do not read past the end of
> nat journal entries
>
> The full thread of our discussion is at https://bugs.debian.org/1021846
>
> I don't have any knowledge of f2fs to go any further here. Help please! :-)
Ergh, apologies for the regression.
[somewhat off-topic: The fix came from a crash derived from fuzzing. I
am not really knowledgeable about f2fs either - I was just trying to do
my best based on what we could derive from the existing driver. In
general, filesystems are a nightmare for fuzzing fixes because testing
beyond the (quite decent!) tests that the grub test-suite runs is very
challenging. There is usually no-one who is both involved in grub
security and an expert on any given file system either. We do the best
we can. Sadly our regression rate has been climbing, so we may need to
come up with some other way to secure file systems or get access to
sufficient expertise in the future.]
I had a massive, massive work-in-progress spiel where I looked at this
code and compared the linux code and counted sizes and so on and so
forth. I was getting nowhere. But eventually I realised I had just made
an off-by-one error in the test. You're allowed to have up to n =
NAT_JOURNAL_ENTRIES entries _inclusive_, because the loop below uses i <
n, not i <= n. D'oh.
Please try the following:
diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c
index df6beb544cbd..855e24618c2b 100644
--- a/grub-core/fs/f2fs.c
+++ b/grub-core/fs/f2fs.c
@@ -650,7 +650,7 @@ get_blkaddr_from_nat_journal (struct grub_f2fs_data *data,
grub_uint32_t nid,
grub_uint16_t n = grub_le_to_cpu16 (data->nat_j.n_nats);
grub_uint16_t i;
- if (n >= NAT_JOURNAL_ENTRIES)
+ if (n > NAT_JOURNAL_ENTRIES)
return grub_error (GRUB_ERR_BAD_FS,
"invalid number of nat journal entries");
If for some reason that doesn't work, please add the following debug
code and report the results:
diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c
index 855e24618c2b..6e49a6d17b7a 100644
--- a/grub-core/fs/f2fs.c
+++ b/grub-core/fs/f2fs.c
@@ -643,6 +643,10 @@ get_nat_journal (struct grub_f2fs_data *data)
return err;
}
+#ifdef GRUB_UTIL
+#include <stdio.h>
+#endif
+
static grub_err_t
get_blkaddr_from_nat_journal (struct grub_f2fs_data *data, grub_uint32_t nid,
grub_uint32_t *blkaddr)
@@ -650,6 +654,10 @@ get_blkaddr_from_nat_journal (struct grub_f2fs_data *data,
grub_uint32_t nid,
grub_uint16_t n = grub_le_to_cpu16 (data->nat_j.n_nats);
grub_uint16_t i;
+#ifdef GRUB_UTIL
+ fprintf(stderr, "%s: n = %hu\n", __func__, n);
+#endif
+
if (n > NAT_JOURNAL_ENTRIES)
return grub_error (GRUB_ERR_BAD_FS,
"invalid number of nat journal entries");
Amusingly the debug code shows that the grub-fs-tester tests always have
n = 0, which makes sense for a test that doesn't really stress the
file-system, and also explains why we didn't catch the bug when it was
introduced.
Kind regards,
Daniel
>
> ----- Forwarded message from программист некто
> <programmer11...@programist.ru> -----
>
> From: программист некто <programmer11...@programist.ru>
> To: sub...@bugs.debian.org
> Date: Sat, 15 Oct 2022 23:54:36 +0300
> Subject: Bug#1021846: grub-install is broken since 2.06-3: error: unknown
> filesystem
> Message-Id: <3168731665867...@wf4nrjvtssjecb53.iva.yp-c.yandex.net>
>
> Package: grub-pc
> Version: 2.06-3~deb11u1
> Severity: critical
>
> Hello. Since version 2.06-3, grub-install is broken: it fails with "error:
> unknown filesystem".
> I test command /usr/sbin/grub-install -v /dev/sda
> in some versions. Results in mail attachments.
> Versions older than 2.06-3 works without error (2.06-2 and lower).
> Tested versions: 2.04-20, 2.06-1, 2.06-2, 2.06-3~deb10u1, 2.06-3~deb11u1,
> 2.06-4.
>
> Disk partitions:
>
> # fdisk --list-details
> Disk /dev/sda: 29,82 GiB, 32017047552 bytes, 62533296 sectors
> Disk model: TS32GSSD370S
> Units: sectors of 1 * 512 = 512 bytes
> Sector size (logical/physical): 512 bytes / 512 bytes
> I/O size (minimum/optimal): 512 bytes / 512 bytes
> Disklabel type: dos
> Disk identifier: 0xc7177f7e
>
> Device Boot Start End Sectors Id Type Start-C/H/S End-C/H/S Attrs
> /dev/sda1 2048 22763519 22761472 83 Linux 4/4/1 1023/254/2
> /dev/sda2 * 25866240 62531583 36665344 7 HPFS/ 1023/254/2 1023/254/2 80
>
> $ disktype /dev/sda1
> --- /dev/sda1
> Block device, size 10.85 GiB (11653873664 bytes)
> F2FS file system (version 1.14)
>
> $ disktype /dev/sda2
> --- /dev/sda2
> Block device, size 17.48 GiB (18772656128 bytes)
> NTFS file system
> Volume size 17.48 GiB (18772652032 bytes, 36665336 sectors)
>
>
>
>
>
>
>
>
> ----- End forwarded message -----
> --
> Steve McIntyre, Cambridge, UK. st...@einval.com
> Mature Sporty Personal
> More Innovation More Adult
> A Man in Dandism
> Powered Midship Specialty
>
>
> _______________________________________________
> Grub-devel mailing list
> grub-de...@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
