kern/partition: Limit recursion in part_iterate()

The part_iterate() is used by grub_partition_iterate() as a callback in
the partition iterate functions. However, part_iterate() may also call
the partition iterate functions which may lead to recursion. Fix potential
issue by limiting the recursion depth.

Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name kern-partition-Limit-recursion-in-part_iterate.patch

diff --git a/grub-core/kern/partition.c b/grub-core/kern/partition.c
index edad9f9e478e4ff18302a036ff0627a2ee9e1d16..704512a20a9d5d9dc4c70475217846544a8a739a 100644 (file)
--- a/grub-core/kern/partition.c
+++ b/grub-core/kern/partition.c
@@ -28,6 +28,9 @@
 
 grub_partition_map_t grub_partition_map_list;
 
+#define MAX_RECURSION_DEPTH    32
+static unsigned int recursion_depth = 0;
+
 /*
  * Checks that disk->partition contains part.  This function assumes that the
  * start of part is relative to the start of disk->partition.  Returns 1 if
@@ -208,7 +211,12 @@ part_iterate (grub_disk_t dsk, const grub_partition_t partition, void *data)
       FOR_PARTITION_MAPS(partmap)
       {
        grub_err_t err;
-       err = partmap->iterate (dsk, part_iterate, ctx);
+       recursion_depth++;
+       if (recursion_depth <= MAX_RECURSION_DEPTH)
+         err = partmap->iterate (dsk, part_iterate, ctx);
+       else
+         err = grub_error (GRUB_ERR_RECURSION_DEPTH, "maximum recursion depth exceeded");
+       recursion_depth--;
        if (err)
          grub_errno = GRUB_ERR_NONE;
        if (ctx->ret)