[PATCH 2/2] fs/zfs: Avoid pointer downcasting in dnode_get()

Sun, 16 Nov 2025 23:13:04 -0800 

Coverity marks multiple issues in grub-core/fs/zfs/zfs.c as either "Untrusted
value as argument", "Untrusted pointer read", or "Untrusted loop bound". Each
of these issues share a common cause where Coverity finds that data->dnode_buf
gets tainted by dnbuf since it is downcasting from (void *) to (dnode_phys_t *)
and could imply that the data the pointer points to is tainted. However, the
function zio_read(), which reads this data from disk, sanitizes this data by
verifying its checksum. To resolve the issues for Coverity, setting dnbuf to
(dnode_phys_t *) at the start of the function dnode_get() seems to do the
trick.

Fixes: CID 896330
Fixes: CID 896331
Fixes: CID 896334
Fixes: CID 896336
Fixes: CID 897337
Fixes: CID 896340
Fixes: CID 314020

Signed-off-by: Alec Brown <[email protected]>
---
 grub-core/fs/zfs/zfs.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
index afe821f9b..83dfa6d52 100644
--- a/grub-core/fs/zfs/zfs.c
+++ b/grub-core/fs/zfs/zfs.c
@@ -2743,7 +2743,7 @@ dnode_get (dnode_end_t * mdn, grub_uint64_t objnum, 
grub_uint8_t type,
   grub_uint64_t blkid, blksz;  /* the block id this object dnode is in */
   int epbs;                    /* shift of number of dnodes in a block */
   int idx;                     /* index within a block */
-  void *dnbuf;
+  dnode_phys_t *dnbuf;
   grub_err_t err;
   grub_zfs_endian_t endian;
 
@@ -2773,7 +2773,7 @@ dnode_get (dnode_end_t * mdn, grub_uint64_t objnum, 
grub_uint8_t type,
 
   grub_dprintf ("zfs", "endian = %d, blkid=%llx\n", mdn->endian,
                (unsigned long long) blkid);
-  err = dmu_read (mdn, blkid, &dnbuf, &endian, data);
+  err = dmu_read (mdn, blkid, (void **) &dnbuf, &endian, data);
   if (err)
     return err;
   grub_dprintf ("zfs", "alive\n");
@@ -2795,7 +2795,7 @@ dnode_get (dnode_end_t * mdn, grub_uint64_t objnum, 
grub_uint8_t type,
       data->dnode_endian = endian;
     }
 
-  grub_memmove (&(buf->dn), (dnode_phys_t *) dnbuf + idx, DNODE_SIZE);
+  grub_memmove (&(buf->dn), dnbuf + idx, DNODE_SIZE);
   if (data->dnode_buf == 0)
          /* dnbuf not used anymore if data->dnode_mdn malloc failed */
          grub_free (dnbuf);
-- 
2.27.0


_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to