On Thu, 20 Mar 2025 18:28:00 -0500 Andrew Hamilton <adham...@gmail.com> wrote:
> A regression was introduced recently as a part of the series of > filesystem related patches to address some CVEs found in GRUB. > > This issue may cause either an infinite loop at startup when > accessing certain valid NTFS file systems, or may cause a crash > due to a NULL pointer deference on systems where "NULL" address > is invalid (such as may happen when calling grub-mount from > the operating system level). > > Correct this issue by checking that at->attr_cur is within bounds > inside find_attr. > > Fixes: https://savannah.gnu.org/bugs/?66855 The NTFS filesystem test is failing even though this change is included. grub-fstest is failing to detect the generated NTFS filesystem as NTFS. The debug log shows these lines: grub-core/kern/fs.c:56:fs: Detecting ntfs... grub-core/fs/ntfs.c:212:ntfs: spare=800 min_size=73 attr_size=72 grub-core/kern/fs.c:79:fs: error: no $INDEX_ROOT. grub-core/kern/fs.c:80:fs: ntfs detection failed. Based on where this error message is generated, it looks like the issue is in find_attr(). So this change looks like a partial fix. Glenn > Co-authored-by: B Horn <b...@horn.uk> > Co-authored-by: Andrew Hamilton <adham...@gmail.com> > Signed-off-by: Andrew Hamilton <adham...@gmail.com> > --- > V2 -> V3: Changed NULL check to >= at->mft->buf > > grub-core/fs/ntfs.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c > index 960833a34..767b93c21 100644 > --- a/grub-core/fs/ntfs.c > +++ b/grub-core/fs/ntfs.c > @@ -387,7 +387,8 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) > } > at->attr_cur = at->attr_nxt; > mft_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR); > - while (at->attr_cur < mft_end && *at->attr_cur != 0xFF) > + while (at->attr_cur >= at->mft->buf && at->attr_cur < mft_end > + && *at->attr_cur != 0xFF) > { > at->attr_nxt = next_attribute (at->attr_cur, at->end); > if (*at->attr_cur == GRUB_NTFS_AT_ATTRIBUTE_LIST) _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
