fs/jfs: Do not move to leaf level if name length is negative

Fuzzing JFS revealed crashes where a negative number would be passed
to le_to_cpu16_copy(). There it would be cast to a large positive number
and the copy would read and write off the end of the respective buffers.

Catch this at the top as well as the bottom of the loop.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Patch-Name: 2021-02-security/074-fs-jfs-Do-not-move-to-leaf-level-if-name-length-is-negative.patch

diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
index d5a6d652788ed95253a08d4f6fe9d3b3fe0d91b2..e5bbda61c543a09c5194aad933478efbd2add0ab 100644 (file)
--- a/grub-core/fs/jfs.c
+++ b/grub-core/fs/jfs.c
@@ -567,7 +567,7 @@ grub_jfs_getent (struct grub_jfs_diropen *diro)
 
   /* Move down to the leaf level.  */
   nextent = leaf->next;
-  if (leaf->next != 255)
+  if (leaf->next != 255 && len > 0)
     do
       {
        next_leaf = &diro->next_leaf[nextent];