From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1pIB49-0005We-FV for mharc-grub-devel@gnu.org; Wed, 18 Jan 2023 11:13:33 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pIB47-0005WQ-LX for grub-devel@gnu.org; Wed, 18 Jan 2023 11:13:31 -0500 Received: from mout.gmx.net ([212.227.15.19]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pIB45-0003KA-NU for grub-devel@gnu.org; Wed, 18 Jan 2023 11:13:31 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1674058394; bh=UdPS83INIznHDp2mVGw13KETVx4XILbYexwaD5Zfyew=; h=X-UI-Sender-Class:Date:From:To:Subject:Cc:References:In-Reply-To; b=oE1dSIfEBkj0Dip7bv4MMuy/3wRHtHtk0V+vjwwQs/T4OGR/awdLDAlyVyodaDNK6 R/nbuas5P5xGQ1fnz+XhTNJFzPIErmrKV6MnVZEwGaUZU0J4PK3xhTD9YTIn19mrRF VOxnXUJl33dAWqycmL4LotCwieFmVzN7DHY00Fprud9yPVl2fsbNsEBJmr+ynyld79 UB8kRHq0KZ9966f3HvvTodL14CzoVMqt1kUhr0NpMhaJQRtfzrvYyjAFttOsrIzpNA FW25as13Qe1zeWxaNb/1JAKWO9cw9nNtyFlL820urfgM4MLczS2TSkNlb+yrzlv4kS IZXt+8hpPomMA== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from scdbackup.webframe.org ([84.179.236.73]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1Ma20k-1pEy5e0XOW-00Vztj; Wed, 18 Jan 2023 17:13:14 +0100 Date: Wed, 18 Jan 2023 17:12:22 +0100 From: "Thomas Schmitt" To: grub-devel@gnu.org Subject: Re: [PATCH v2 2/5] fs/iso9660: Prevent read past the end of system use area Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Cc: lidong.chen@oracle.com, fengtao40@huawei.com, yanan@huawei.com, daniel.kiper@oracle.com, lichenca2005@gmail.com References: <93db49148529620f4fb8dd472be3fab2dc75106c.1673991546.git.lidong.chen@oracle.com> In-Reply-To: <93db49148529620f4fb8dd472be3fab2dc75106c.1673991546.git.lidong.chen@oracle.com> Message-Id: <12328393032026933767@scdbackup.webframe.org> X-Provags-ID: V03:K1:ebCygrKT+UlbC1gj+YG6FwxpU8MIQBEhVeQ/0TMjt7RcpjTlmGF 87GS4swXyCeFvUA+jOIlxIW1/JXsaYJb/1gWneZQgWy8QaRjKx9TWbD7XjgH2N/sCC4ofIJ clyTtb/Z1eD2ClPWMVlwQkExpY24tOq/faqu4anRWDrRF8EIPJ1L8kpgAxFdq6kX6rEtBfa WylxTY2L8dux5VeDQrifw== UI-OutboundReport: notjunk:1;M01:P0:4O7QhvbdIDw=;PGBAXXJ/XIRbSOPfceislRMLeR1 AbbIW4s+fc8MNk2XTUAVTALTpPJelgBpU40k/1H5+DngkSUG3nB7rfI27kRi9uDfpM8EpsP4m wqzrKUP+Y5hWtpZnCRmbEYnEEZDXya8w+tc4KFQv1TWkuWIBEiY46TQow3V6xC9/p/GWoZhE9 C+GVme0LNMCVX0i0IVoN3D9SkAhMIRREV6ZwdhmuuJx1Q5yMXiBpzRuYJxEcp1cXrqhBu1rpB 5o0MwyaOULOJJulUua84VR0IZxTBOMjtoywn5k+6kBhk9x9q9XhkMH5xQQ54ovQxnjkuXi9Tn VopaeReZV9tsWWWiOMrvbP+B/mXzyq0SvG6CeRhQRCzKS/5n2UonE9XB+V02wqPSsqcJ2OHCe BdTEP+C5CPiTU+N0xgWTw+gSp+lh6w68qe1NLXf8UFJPfr005PLygHnt6dPQLuAoAPq6xwmYL LAebyITM+p4AStb5IIwD2F8EuV4kmeM3VpxZLFBF3YyNUgPPYbA5X++zAIpmDv1Noj3vPp1mP N6FDJkPgFsEi0oJomfkPoYV734sdR1X0c50zBO9/DdigCsi/9v+Ah+UFD85sUXi6bRaFkaht/ JFzlIKULLI0MfHgkC70trruG9xdi59mADisonnocgi0Pyxc6C3FPw5h5I1HdjbkIDU+AH4mY1 0cIT10U+PIyXjs6eLZ5BCtCaHxURBZadmL+VuEWpzM/o7bm49+lHBopcDsgs8isfDdgF5KAZL A6Q2U+IFaE1C/QDagxyAQC7nz2glNxUWDY0YxJ1UZBSThRQQM/qRNZyQ/Gyj2fgKKqeD4kfRV CxFRn7zefsMfLrzCfVlRorosOQekY7uOMWwj6+rsd7RyhP1eH7yRjMJFRmMnKqK33/U9r2GIS fIKl2qq4CXHWaUgP0g16rF0Rb+JLc5K1yEEpveVNesioUuhML3ztDadAdp/xGJLR0lnkPbzPQ 0nHSUhrTL7V+cG4bJYPsNW0YGTM= Received-SPF: pass client-ip=212.227.15.19; envelope-from=scdbackup@gmx.net; helo=mout.gmx.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2023 16:13:31 -0000 Hi, On Wed, 18 Jan 2023 08:23:55 +0000 Lidong Chen wr= ote: > In the code, the for loop advanced the entry pointer to the > next entry before checking if the next entry is within the > system use area boundary. Another issue in the code was that > there is no check for the size of system use area. For a > corrupted system, the size of system use area can be less than > the size of minimum SUSP entry size (4 bytes). These can cause > buffer overrun. The fixes added the checks to ensure the read is > valid and within the boundary. > > Signed-off-by: Lidong Chen > --- > grub-core/fs/iso9660.c | 30 +++++++++++++++++++++++++++--- > 1 file changed, 27 insertions(+), 3 deletions(-) > > diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c > index 4f4cd6165..65c8862b6 100644 > --- a/grub-core/fs/iso9660.c > +++ b/grub-core/fs/iso9660.c > @@ -49,6 +49,8 @@ GRUB_MOD_LICENSE ("GPLv3+"); > #define GRUB_ISO9660_VOLDESC_PART 3 > #define GRUB_ISO9660_VOLDESC_END 255 > > +#define GRUB_ISO9660_SUSP_HEADER_SZ 4 > + > /* The head of a volume descriptor. */ > struct grub_iso9660_voldesc > { > @@ -272,6 +274,9 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, = grub_off_t off, > if (sua_size <=3D 0) > return GRUB_ERR_NONE; > > + if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ) > + return grub_error (GRUB_ERR_BAD_FS, "invalid susp entry size"); > + > sua =3D grub_malloc (sua_size); > if (!sua) > return grub_errno; > @@ -281,10 +286,14 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node= , grub_off_t off, > if (err) > return err; > > - for (entry =3D (struct grub_iso9660_susp_entry *) sua; (char *) entry= < (char *) sua + sua_size - 1 && entry->len > 0; > - entry =3D (struct grub_iso9660_susp_entry *) > - ((char *) entry + entry->len)) > + entry =3D (struct grub_iso9660_susp_entry *) sua; > + > + while (entry->len > 0) > { > + /* Ensure the entry is within System Use Area */ > + if ((char *) entry + entry->len > (sua + sua_size)) > + break; > + > /* The last entry. */ > if (grub_strncmp ((char *) entry->sig, "ST", 2) =3D=3D 0) > break; > @@ -300,6 +309,16 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node,= grub_off_t off, > off =3D grub_le_to_cpu32 (ce->off); > ce_block =3D grub_le_to_cpu32 (ce->blk) << GRUB_ISO9660_LOG2_BLKSZ; > > + if (sua_size <=3D 0) > + break; > + > + if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ) > + { > + grub_free (sua); > + return grub_error (GRUB_ERR_BAD_FS, > + "invalid continuation area in CE entry"); > + } > + > grub_free (sua); > sua =3D grub_malloc (sua_size); > if (!sua) > @@ -319,6 +338,11 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node,= grub_off_t off, > grub_free (sua); > return 0; > } > + > + entry =3D (struct grub_iso9660_susp_entry *) ((char *) entry + en= try->len); > + > + if (((sua + sua_size) - (char *) entry) < GRUB_ISO9660_SUSP_HEADE= R_SZ) > + break; > } > > grub_free (sua); > -- > 2.35.1 Reviewed-by: Thomas Schmitt Have a nice day :) Thomas