fs/xfs: Fix out-of-bounds read

The number of records in the root key array read from disk was not being
validated against the size of the root node. This could lead to an
out-of-bounds read.

This patch adds a check to ensure that the number of records in the root
key array does not exceed the expected size of a root node read from
disk. If this check detects an out-of-bounds condition the operation is
aborted to prevent random errors due to metadata corruption.

Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name fs-xfs-Fix-out-of-bounds-read.patch

diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
index bc2224dbb4631842c77601b5d6e4307913107db2..d2d533531d722f72228f9ba4caa0ab777d213ad7 100644 (file)
--- a/grub-core/fs/xfs.c
+++ b/grub-core/fs/xfs.c
@@ -595,6 +595,17 @@ grub_xfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
       do
         {
           grub_uint64_t i;
+         grub_addr_t keys_end, data_end;
+
+         if (grub_mul (sizeof (grub_uint64_t), nrec, &keys_end) ||
+             grub_add ((grub_addr_t) keys, keys_end, &keys_end) ||
+             grub_add ((grub_addr_t) node->data, node->data->data_size, &data_end) ||
+             keys_end > data_end)
+           {
+             grub_error (GRUB_ERR_BAD_FS, "invalid number of XFS root keys");
+             grub_free (leaf);
+             return 0;
+           }
 
           for (i = 0; i < nrec; i++)
             {