From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1pIAzc-0002yC-2L for mharc-grub-devel@gnu.org; Wed, 18 Jan 2023 11:08:52 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pIAza-0002xl-AZ for grub-devel@gnu.org; Wed, 18 Jan 2023 11:08:50 -0500 Received: from mout.gmx.net ([212.227.17.20]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pIAzY-0002EW-N2 for grub-devel@gnu.org; Wed, 18 Jan 2023 11:08:50 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1674058106; bh=u6vsH9gpvNHzG+anxUfssRlb2/5x0npRmy5acdPmX4U=; h=X-UI-Sender-Class:Date:From:To:Subject:Cc:References:In-Reply-To; b=i6d/Bj6WiJTyvobRkU8oTWlrvpCL6zTOdyY4D4JPPddQk5cbVW2jnzszmsdz6lu2m IugqcnWY276unzj8EZi8X/ulHwQk6iHXrsjAP/06We9VSqucrCtyoaYwT61x0ymM5x v7aUTVLDbwAHIzKa/0yj+SaZowR/ke57cXpDVgCnAddWNZRKuICz+Uuk1saKIJxX3c oAyzcobU7h5Q1dUL5zH1b9K0Nt9Xt5j+zE5KkHuEFYAtCD0oVzjptQh6/B5N0R5mIu Ul40MrqjRLU5YZLSfAMpPuEpJGXlzokTNJG3WtRI1f5c0OKQtTCuvyOLYVtIuUVh6Z 995QJSeyvgTyw== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from scdbackup.webframe.org ([84.179.236.73]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1N3bX1-1obFIg47al-010d0S; Wed, 18 Jan 2023 17:08:26 +0100 Date: Wed, 18 Jan 2023 17:07:34 +0100 From: "Thomas Schmitt" To: grub-devel@gnu.org Subject: Re: [PATCH v2 1/5] fs/iso9660: Add check to prevent infinite loop Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Cc: lidong.chen@oracle.com, fengtao40@huawei.com, yanan@huawei.com, daniel.kiper@oracle.com, lichenca2005@gmail.com References: <81879d1fead0c199cbfaf12ff548e0f02784549a.1673991546.git.lidong.chen@oracle.com> In-Reply-To: <81879d1fead0c199cbfaf12ff548e0f02784549a.1673991546.git.lidong.chen@oracle.com> Message-Id: <12420393032314805630@scdbackup.webframe.org> X-Provags-ID: V03:K1:8H9mTbyY9nNNnnzPr5vgKjHcZzWjUoDGWA3S0TsTUc8jWhiEeg2 pmlueOMWF9yKx7Z+X+46/wx1rePFgKrnQhfbfXHMLhdxM/Y6FsqLsepvdPzAwnwHEDkNVqX fVMZtJ/+pxdlZjbAWmp/pMovTxVonih3JBBLYrkek4QcsvEIzJ1mA5nrtjjOR+6bid+NL0J DfLQkcj+PfVdN/RlqQf2Q== UI-OutboundReport: notjunk:1;M01:P0:5IIYiVzuXHI=;MeDx8V2fDVAQztcMbrTxNARBUhk 49iIwX3TrLyuOViCOAXzHJz7CdHRpWpFjN7fEMVpaO0p6Q+9g5AjfEcajbNSPOXWg3Etas6yA zUNfVCVKoLouD2WNecwi+jhOpCiPW2nfSKVJUYSMwHsjUd43sdngO9R1FIetH/d93Jrj+nkKy MakYlr91Xo/0RYoaLrVkcXnElB1+ixGi81Q+xXu6CrIOvVR+BZSyJJM8KmK5aViICMJAjFnJi Io5bAy5VRYXvJzEHqg2uS2AGX5Rhgrqx2mqOx0jyvy0IdViDRo71sc1OAjRaX4kqSatKKNVuJ 0+VIH+PBF3flHAaelv0so/ZXPcGlY1YIf/Ya55HZ649cXF+gNaStHWYYl6qHCw+XbijINfigP +cSEK9qUAhp7xtYcTZmVxbM5w0BhVqRQjD0UvTRS99sahhQ4gPf33A59tWrXfWQjle74F/cKg BmnTvC/ghShSmjFXgcaL8TRdsATz4z4FmbdZzOAMzp6bO+wHZqklZ0SW679kjP7SlZ/rIUFuE TjOfkNoZw6E+S+xVcb12/YoMpCrzoFwVrgSasak8iXeISbFV2ZXHw8TSWFR2cpZ8FJMAfcz36 VPPtByfbWMouLHLi0snqygBjEExeO8iEzktggNyFfPEVD9ZJ66rPmh4nn4u3OSaIjGENs6Cp/ qwxpSffqgOTbL2ulfOhcbv9y4SXJQVruGAtju5EifINq36BBRO7Wj+BnVlrglWrzsEeYlBC+O p76hWxc0PclvVKOpOP+UEbClNlKEAQtsyYK1o5KJneezqvUcp5CrH96nfQZVHvFMvrpA4brNj 4IrSi7/AyPPmzBgShQ+0KWBniT8mkcbY5dpBBr2BNC8NtbQQkV+I5jqJB64P+RlChQovgQbr1 ZkwMvjT/TCUhzhZWkTznmfeHoYeGgbtMb4yk4nxTCeTY1iOMkhzmnk/4g2nN7d3MB8ID79mLk 9Cp+VpptG7Xb1W9TNtBt1Q2dbXY= Received-SPF: pass client-ip=212.227.17.20; envelope-from=scdbackup@gmx.net; helo=mout.gmx.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2023 16:08:50 -0000 Hi, On Wed, 18 Jan 2023 08:23:54 +0000 Lidong Chen wr= ote: > There is no check for the end of block when reading > directory extents. It resulted in read_node() always > read from the same offset in the while loop, thus > caused infinite loop. The fix added a check for the > end of the block and ensure the read is within directory > boundary. > > Signed-off-by: Lidong Chen > Reviewed-by: Thomas Schmitt > --- > grub-core/fs/iso9660.c | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > > diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c > index 91817ec1f..4f4cd6165 100644 > --- a/grub-core/fs/iso9660.c > +++ b/grub-core/fs/iso9660.c > @@ -795,6 +795,15 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir, > while (dirent.flags & FLAG_MORE_EXTENTS) > { > offset +=3D dirent.len; > + > + /* offset should within the dir's len. */ > + if (offset > len) > + { > + if (ctx.filename_alloc) > + grub_free (ctx.filename); > + return 0; > + } > + > if (read_node (dir, offset, sizeof (dirent), (char *) &dirent)) > { > if (ctx.filename_alloc) > @@ -802,6 +811,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir, > grub_free (node); > return 0; > } > + > + /* > + * It is either the end of block or zero-padded sector, > + * skip to the next block. > + */ > + if (!dirent.len) > + { > + offset =3D (offset / GRUB_ISO9660_BLKSZ + 1) * GRUB_ISO9660_BLKSZ; > + dirent.flags |=3D FLAG_MORE_EXTENTS; > + continue; > + } > + > if (node->have_dirents >=3D node->alloc_dirents) > { > struct grub_fshelp_node *new_node; > -- > 2.35.1 Reviewed-by: Thomas Schmitt (I'm not sure whether is appropriate to add another Reviewed-by after it was already given and only a minor cosmetic change was made to the patch. If this is not ok, then please give me a note.) Have a nice day :) Thomas