patches: add XFS followup fixes

these just improve error handling for corrupt XFS file systems Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2025-08-15 04:18:41 +00:00 · 2025-02-24 11:11:56 +01:00 · 2025-02-24 11:11:56 +01:00 · 5ed0d8a8ad
commit 5ed0d8a8ad
parent dcf0cd27e9
4 changed files with 158 additions and 0 deletions
--- a/debian/patches/cve_2025_02_multiple/0205-fs-xfs-Handle-root-inode-read-failure-in-grub_xfs_mo.patch
+++ b/debian/patches/cve_2025_02_multiple/0205-fs-xfs-Handle-root-inode-read-failure-in-grub_xfs_mo.patch
@ -0,0 +1,27 @@
+From: Egor Ignatov <egori@altlinux.org>
+Date: Thu, 23 Jan 2025 20:44:13 +0300
+Subject: fs/xfs: Handle root inode read failure in grub_xfs_mount
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Egor Ignatov <egori@altlinux.org>
+FG: cherry-picked from grub-devel 20250123174415.1251915-2-egori@altlinux.org
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+ grub-core/fs/xfs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
+index cc50feb..366974c 100644
+--- a/grub-core/fs/xfs.c
+++ b/grub-core/fs/xfs.c
+@@ -1021,6 +1021,8 @@ grub_xfs_mount (grub_disk_t disk)
+ 	       grub_cpu_to_be64(data->sblock.rootino));
+ 
+   grub_xfs_read_inode (data, data->diropen.ino, &data->diropen.inode);
+  if (grub_errno)
+    goto fail;
+ 
+   return data;
+  fail:
--- a/debian/patches/cve_2025_02_multiple/0206-fs-xfs-Fix-grub_xfs_iterate_dir-return-value-in-case.patch
+++ b/debian/patches/cve_2025_02_multiple/0206-fs-xfs-Fix-grub_xfs_iterate_dir-return-value-in-case.patch
@ -0,0 +1,53 @@
+From: Egor Ignatov <egori@altlinux.org>
+Date: Thu, 23 Jan 2025 20:44:14 +0300
+Subject: fs/xfs: Fix grub_xfs_iterate_dir return value in case of failure
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Commit ef7850c757 introduced multiple boundary checks in grub_xfs_iterate_dir()
+but handled the error incorrectly returning error code instead of 0.
+
+Also change the error message so that it doesn't match the message
+in grub_xfs_read_inode().
+
+Fixes: ef7850c757 (fs/xfs: Fix issues found while fuzzing the XFS filesystem)
+
+Signed-off-by: Egor Ignatov <egori@altlinux.org>
+FG: cherry-picked from grub-devel 20250123174415.1251915-2-egori@altlinux.org
+with adapted context
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+ grub-core/fs/xfs.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
+index 366974c..e80a7b0 100644
+--- a/grub-core/fs/xfs.c
+++ b/grub-core/fs/xfs.c
+@@ -839,7 +839,11 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
+ 	    grub_uint8_t c;
+ 
+ 	    if ((inopos + (smallino ? 4 : 8)) > (grub_uint8_t *) dir + grub_xfs_fshelp_size (dir->data))
+-	      return grub_error (GRUB_ERR_BAD_FS, "not a correct XFS inode");
+	      {
+		grub_error (GRUB_ERR_BAD_FS, "invalid XFS inode");
+		return 0;
+	      }
+
+ 
+ 	    /* inopos might be unaligned.  */
+ 	    if (smallino)
+@@ -869,8 +873,10 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
+ 	    de = grub_xfs_inline_next_de(dir->data, head, de);
+ 
+ 	    if ((grub_uint8_t *) de >= (grub_uint8_t *) dir + grub_xfs_fshelp_size (dir->data))
+-	      return grub_error (GRUB_ERR_BAD_FS, "invalid XFS directory entry");
+-
+	      {
+		grub_error (GRUB_ERR_BAD_FS, "invalid XFS directory entry");
+		return 0;
+	      }
+ 	  }
+ 	break;
+       }
--- a/debian/patches/cve_2025_02_multiple/0207-fs-xfs-Propagate-incorrect-inode-error-from-grub_xfs.patch
+++ b/debian/patches/cve_2025_02_multiple/0207-fs-xfs-Propagate-incorrect-inode-error-from-grub_xfs.patch
@ -0,0 +1,75 @@
+From: Egor Ignatov <egori@altlinux.org>
+Date: Thu, 23 Jan 2025 20:44:15 +0300
+Subject: fs/xfs: Propagate incorrect inode error from grub_xfs_read_inode
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+The incorrect inode error from grub_xfs_read_inode did not propagate because
+grub_print_error() resetted grub_errno, and grub_xfs_iterate_dir() did not
+handle it at all.
+
+Signed-off-by: Egor Ignatov <egori@altlinux.org>
+FG: cherry-picked from grub-devel 20250123174415.1251915-2-egori@altlinux.org
+    with adapted context
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+ grub-core/fs/xfs.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
+index e80a7b0..98fd53b 100644
+--- a/grub-core/fs/xfs.c
+++ b/grub-core/fs/xfs.c
+@@ -777,7 +777,6 @@ static int iterate_dir_call_hook (grub_uint64_t ino, const char *filename,
+   fdiro = grub_malloc (sz);
+   if (!fdiro)
+     {
+-      grub_print_error ();
+       return 0;
+     }
+ 
+@@ -789,7 +788,6 @@ static int iterate_dir_call_hook (grub_uint64_t ino, const char *filename,
+   err = grub_xfs_read_inode (ctx->diro->data, ino, &fdiro->inode);
+   if (err)
+     {
+-      grub_print_error ();
+       return 0;
+     }
+ 
+@@ -828,9 +826,13 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
+ 	/* Synthesize the direntries for `.' and `..'.  */
+ 	if (iterate_dir_call_hook (diro->ino, ".", &ctx))
+ 	  return 1;
+	else if (grub_errno)
+	  return 0;
+ 
+ 	if (iterate_dir_call_hook (parent, "..", &ctx))
+ 	  return 1;
+	else if (grub_errno)
+	  return 0;
+ 
+ 	for (i = 0; i < head->count; i++)
+ 	  {
+@@ -870,6 +872,9 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
+ 	      }
+ 	    de->name[de->len] = c;
+ 
+	    if (grub_errno)
+	      return 0;
+
+ 	    de = grub_xfs_inline_next_de(dir->data, head, de);
+ 
+ 	    if ((grub_uint8_t *) de >= (grub_uint8_t *) dir + grub_xfs_fshelp_size (dir->data))
+@@ -955,6 +960,11 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
+ 		    grub_free (dirblock);
+ 		    return 1;
+ 		  }
+		else if (grub_errno)
+		  {
+		    grub_free (dirblock);
+		    return 0;
+		  }
+ 
+ 		/* Check if last direntry in this block is
+ 		   reached.  */
--- a/debian/patches/series
+++ b/debian/patches/series
@ -201,3 +201,6 @@ cve_2025_02_multiple/0201-kern-misc-Add-sanity-check-after-grub_strtoul-call.pat
 cve_2025_02_multiple/0202-loader-i386-linux-Cast-left-shift-to-grub_uint32_t.patch
 cve_2025_02_multiple/0203-loader-i386-bsd-Use-safe-math-to-avoid-underflow.patch
 cve_2025_02_multiple/0204-fs-ext2-Rework-out-of-bounds-read-for-inline-and-ext.patch
+cve_2025_02_multiple/0205-fs-xfs-Handle-root-inode-read-failure-in-grub_xfs_mo.patch
+cve_2025_02_multiple/0206-fs-xfs-Fix-grub_xfs_iterate_dir-return-value-in-case.patch
+cve_2025_02_multiple/0207-fs-xfs-Propagate-incorrect-inode-error-from-grub_xfs.patch