BTW,
The HFSPLUS_CATKEY_* macros defined in this patch are based on the Technical
Note TN1150:
https://developer.apple.com/library/archive/technotes/tn/tn1150.html
"IMPORTANT:
The length of the key varies with the length of the string stored in the
nodeName field; it
occupies only the number of bytes required to hold the name. The keyLength field
determines the actual length of the key; it varies between
kHFSPlusCatalogKeyMinimumLength (6) to kHFSPlusCatalogKeyMaximumLength (516).”
Regards,
Lidong
On Apr 20, 2023, at 10:59 AM, Lidong Chen <lidong.c...@oracle.com> wrote:
A corrupted hfsplus can have a catalog key that is out of range.
This can lead to out of bound access when advancing the pointer to
access catalog file info.
Signed-off-by: Lidong Chen <lidong.c...@oracle.com>
---
grub-core/fs/hfsplus.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
index 1ffebc8be..9c1f12574 100644
--- a/grub-core/fs/hfsplus.c
+++ b/grub-core/fs/hfsplus.c
@@ -87,6 +87,9 @@ struct grub_hfsplus_catfile
#define HFSPLUS_BTNODE_MINSZ (1 << 9)
#define HFSPLUS_BTNODE_MAXSZ (1 << 15)
+#define HFSPLUS_CATKEY_MIN_LEN 6
+#define HFSPLUS_CATKEY_MAX_LEN 516
+
/* Some pre-defined file IDs. */
enum
{
@@ -699,6 +702,13 @@ list_nodes (void *record, void *hook_arg)
catkey = (struct grub_hfsplus_catkey *) record;
+ if (grub_be_to_cpu16 (catkey->keylen) < HFSPLUS_CATKEY_MIN_LEN ||
+ grub_be_to_cpu16 (catkey->keylen) > HFSPLUS_CATKEY_MAX_LEN)
+ {
+ grub_error (GRUB_ERR_BAD_FS, "catalog key length is out of range");
+ return 1;
+ }
+
fileinfo =
(struct grub_hfsplus_catfile *) ((char *) record
+ grub_be_to_cpu16 (catkey->keylen)
--
2.39.1
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
