From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1pIB6l-0006q3-2e for mharc-grub-devel@gnu.org; Wed, 18 Jan 2023 11:16:15 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pIB6i-0006pl-IO for grub-devel@gnu.org; Wed, 18 Jan 2023 11:16:12 -0500 Received: from mout.gmx.net ([212.227.17.20]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pIB6g-00040p-5n for grub-devel@gnu.org; Wed, 18 Jan 2023 11:16:12 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1674058548; bh=prTB2Scg0ocA14fb9ykmHcGlSUZPPrpQWbg1j0e0pUM=; h=X-UI-Sender-Class:Date:From:To:Subject:Cc:References:In-Reply-To; b=MsrqliK0xZgZjhg+kAH5KwrMck3OPLWfpmUZVZuJHhIXsMCLDpXNgHm6MH1m+hGgT XJHw2tDqzBS7T+s/DKIFug1EQIS8ynTJH075V3LgDtNbiRQeFNIeZFIygLk6xuGFH/ GXfeq71V6BLesVjONuJHfirIJEHTLAK5RubJx3DapikJTwiEsZDh/qI8+BFFC+oKLf Bh6zEJlU5l/tcQLaudebntbIZ4eCdzIxfk0Tq4RCK0o/FkXMCYWBsr1MsQK56QN1ro A7Zs0ZGjbMa3yT0cL6/kDA2/X7BBDl2nYrO4KQFRGS85E6GzZ3dNRjsSmNJaNd99la ijydns3w3GtpA== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from scdbackup.webframe.org ([84.179.236.73]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1Md6R1-1ojwLQ3kix-00aCEI; Wed, 18 Jan 2023 17:15:48 +0100 Date: Wed, 18 Jan 2023 17:14:56 +0100 From: "Thomas Schmitt" To: grub-devel@gnu.org Subject: Re: [PATCH v2 3/5] fs/iso9660: Avoid reading past the entry boundary Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Cc: lidong.chen@oracle.com, fengtao40@huawei.com, yanan@huawei.com, daniel.kiper@oracle.com, lichenca2005@gmail.com References: In-Reply-To: Message-Id: <12402393031740855516@scdbackup.webframe.org> X-Provags-ID: V03:K1:ROEOqZc8GFLrT9TcPHmD0kFGH86B7nYuhLi1UggqNUhDTt4O0/o rbyLfuAZcdyYIdZVYyPeIDShokqGS9z+pmiKbdVEnRtUxnuAbRDK1wMSRqBu10lztzwC23E 7jkOKz1rHg/2SGMD2mf5eD/6uKROwwk5F43ANQogbiVu1O5JuhDBdYxeVtxmzRHu9TGSKMW wr78GSHLBO9A3FTkfnkhg== UI-OutboundReport: notjunk:1;M01:P0:d9wa1qgFsg0=;O+CIEBVVkAvu/twvN7yeKQRKnTa WbYCy108004MCevi+LpaeB/xyvVrEYxCdzvUwEfgc6+3/KlqVcb8GNOCm9mXGFX+TEpHmXI1c LyO48hvFaCP5fF6MO82yDV1z3TF0lZ9mNeFlbqy8/mHFCLmpzGTULTC+fLvsIMu3M0FxTOoFj uv0cN+zghsQbgD23/xUfyvms9nAYY4rwdrEFsaravAjf2cHjsBx5k0IamwFNbSXCDI6GfunLi 0ybFAfrCWDUDwLeHHuRee/YqP2KlmkgoDprmy0/+TPTGREeuyj5KBIzUDLP0lTnoaCj5GzJ95 TQspl8nAbGIytUV93vXhngM+tbM83EkApPmcH/xCJpSUFEi+2b89Hky3/oYHgoO+7jAmXKfuf PGjKqsyiu3bo8qQlBQL0YsMekkWi3o6+MJMRoy3pBCJCzshw39w446NpjWUng5h/pULgCVDeZ UHMparBU91VSqoFtNfZ1Qmwvtg5dGuom7reVfZEsrmUx+yil6hguqKXpUAlK+4aDcLitjGG2Y qCxXxpzF4a22gn4FtdbSOOfaJvdGO+C8j9LJbiYe8fObWNNyIydGP8fqpPYoiVJ9+ECOxcjdB wvC5R8x3Pn2HFllzC/qKUQKHjRDE3dGe3aMPihM5BHHtoT/T1CvEWV1PCxHh4QsJAoTjYE2/i wYuPk+1odbsuJn7pF7FModSEw3vF5xHi6U0O6h7Qq/baBxxCKKsNSoqKSKxzT/A6No+IlmlWV qdti1N4b4v0fwcXtee/aiJKdX02AGU21hflIpxwhScAfiwjPLfrBI4PD2DhzLl2/UJqgf5jLY eC4j7kHNIjw9wgqXyJkyvQ+eFqUCs6L9NufQZREGsxd9wZiRAg6crRbJ8QGouaqaig8/gQXXN QNEex2FV+t4fVZHlsMUxJqnAYG4MLmUKkXR9+6s/RK82GcpkQ//66caQ9suEafLlbGzmBTSof QIb1hWaEgQJwlONY5az+SlVnR3s= Received-SPF: pass client-ip=212.227.17.20; envelope-from=scdbackup@gmx.net; helo=mout.gmx.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2023 16:16:12 -0000 Hi, On Wed, 18 Jan 2023 08:23:56 +0000 Lidong Chen wr= ote: > Added a check for the SP entry data boundary before reading it. > > Signed-off-by: Lidong Chen > Reviewed-by: Thomas Schmitt > --- > grub-core/fs/iso9660.c | 16 ++++++++++++++-- > 1 file changed, 14 insertions(+), 2 deletions(-) > > diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c > index 65c8862b6..c6d65fc22 100644 > --- a/grub-core/fs/iso9660.c > +++ b/grub-core/fs/iso9660.c > @@ -409,6 +409,9 @@ set_rockridge (struct grub_iso9660_data *data) > if (!sua_size) > return GRUB_ERR_NONE; > > + if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ) > + return grub_error (GRUB_ERR_BAD_FS, "invalid rock ridge entry size"= ); > + > sua =3D grub_malloc (sua_size); > if (! sua) > return grub_errno; > @@ -435,8 +438,17 @@ set_rockridge (struct grub_iso9660_data *data) > rootnode.have_symlink =3D 0; > rootnode.dirents[0] =3D data->voldesc.rootdir; > > - /* The 2nd data byte stored how many bytes are skipped every time > - to get to the SUA (System Usage Area). */ > + /* The size of SP (version 1) is fixed to 7. */ > + if (sua_size < 7 || entry->len < 7) > + { > + grub_free (sua); > + return grub_error (GRUB_ERR_BAD_FS, "corrupted rock ridge entry"); > + } > + > + /* > + * The 2nd data byte stored how many bytes are skipped every time > + * to get to the SUA (System Usage Area). > + */ > data->susp_skip =3D entry->data[2]; > entry =3D (struct grub_iso9660_susp_entry *) ((char *) entry + en= try->len); > > -- > 2.35.1 Reviewed-by: Thomas Schmitt My minor objections towards v1 are now addressed. Have a nice day :) Thomas