From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.90_1)
	id 1pFZiI-0003rW-E3
	for mharc-grub-devel@gnu.org; Wed, 11 Jan 2023 06:56:14 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <scdbackup@gmx.net>) id 1pFZiH-0003rM-9C
 for grub-devel@gnu.org; Wed, 11 Jan 2023 06:56:13 -0500
Received: from mout.gmx.net ([212.227.15.15])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <scdbackup@gmx.net>) id 1pFZiF-0002Ld-3u
 for grub-devel@gnu.org; Wed, 11 Jan 2023 06:56:12 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417;
 t=1673438151; bh=bjlqNJIxCXfIFLbWXX5ZeJbwYwi3w8Wipq9RSXJwwec=;
 h=X-UI-Sender-Class:Date:From:To:Subject:Cc:References:In-Reply-To;
 b=i8J0KyYjeiEAAfMcUnyQ/EYby9N6UlaoMparuGR08BEEejFJDmDRJX7d1JSgEB9Cf
 C7fK/rXMcS/AU9JfEVN9j6mYOQgUf07mqchBMkhp0Fu0zY/kcg8DXhGKywP7L2okWZ
 81uOSS/IH9VwORUWag/zTfDxZmEAaPtX1PXBqRWqEbWd524w2tGTYVdRlHUcoeWZpe
 2giITXMaD6qmXoC+FoDq/kSfLvEkA8uEKaEh6m+swx08W5KGLu/Ji4FUN/qpZPZuj6
 qTiZLzIssAo07vq0Bx7JsmpG/A5XG9P1gOWBe/eVnZ4J+Xd5jY9BD5BL4uHFO5Jmj3
 NhXSCrkekLyig==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from scdbackup.webframe.org ([84.179.236.73]) by mail.gmx.net
 (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id
 1Mj8mV-1ob2EE0V0P-00fD5n; Wed, 11 Jan 2023 12:55:51 +0100
Date: Wed, 11 Jan 2023 12:54:40 +0100
From: "Thomas Schmitt" <scdbackup@gmx.net>
To: grub-devel@gnu.org
Subject: Re: Proposal v2: fs/iso9660: Prevent skipping CE or ST at start of
 continuation area
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Cc: lidong.chen@oracle.com, fengtao40@huawei.com, yanan@huawei.com,
 daniel.kiper@oracle.com, lichenca2005@gmail.com
References: <230133879046361020781@scdbackup.webframe.org>
In-Reply-To: <230133879046361020781@scdbackup.webframe.org>
Message-Id: <12539387680444945206@scdbackup.webframe.org>
X-Provags-ID: V03:K1:R9gtglh/AUthNb0rf3WLN++bfd8CplreV+KoP6d06mlmW13bi/W
 sqaPhafru/eMEviroe/o5sOa4wasEwXCfxRp0YOSso5NXC2xPwDu71uhF2bqFz0/T/vSyva
 WWW66XPOYVtUtSIwX03u3lF/s8itp5OT4oKB5IRiHJzSBy9ZtNbNQ4NETnCV4pvX+pIZeIC
 qP5gBTCyzo8IcxYMTKysQ==
UI-OutboundReport: notjunk:1;M01:P0:5uuQW4y0Qwk=;vv0unE2ww/o0Ervg2FbpDglIIFD
 +BwOzvdaydUoLOUWm0qCW9paYFSG7V72LmIPnjUAlwIjiUA8UBvukyNd1NNuHuRL2/06WGh8T
 +BmwgCjhhJe9PW7Ae3TmFkbfNCWIZp97G/ApYEjwqkI7LS8Ij9ULCaMCbzOmUt6rA64S8XbiL
 8oJTmeKciaYeCXdtUqP6L4rKz9eOT0Q9zcuHVh9e2ix8BrmwxBKzPIwWYuvMjGhew6ONG8f36
 95m8HpZN+YzRW7maNW/CG9fMMVcEg0gxkQeNyLKeYCnmxSoDVdntMLJWwQiV44XQwDoQIxQrT
 vmkMsceM8EC4nVJnqPBrXGvxXVD2IPm1NjsDRDXpSN7/a3eggBVTdHIylXA4a7/YquHdSXG1r
 wlSCLlD8sO/rblo2izole8S+nr76v7UTeYDEVJSU6+FxVw7nfETEMcGPKQsoeK2gFvgqmz9L0
 keTGjEvz6TWizBl9mV9A8fi9n8vuRCskgDiA9nXZG9+zfK1hf6WYcZi1Y/HNfUKIyz4KkHpZG
 LBhay8Ok2LQUcKtc5CpvXpKfYa0dr3S5tLVzJ6x/PfGoHbpsslSBQR/col3WFmwaA/zmXTv+g
 bzd0XSPZ6oHzKv6DwMzjUMjPcQI7S56z2MvptxZwowYpTsmQ6QHtWc3rGUF2j/12hUx0hlmBT
 JSuuNfeXL8NqXFP18AmMZxW0TzuFLhPDwjDh5Jra/f2peFp1d4TuhR9oGSmArvDTzMmwNc34W
 70HljlV6ckC9gnKlR7n4Sh/ooH9Wtew7qE2TbLABI+eamw6Z/dxGJ9wjmUngryG6kNjpqYRov
 oHPXd2DfP08zmCK7M7LrtACmrxOZ8auH8tj6TLA7u0dkxB9zOddRsFCUBsnCVrrMqakKbbWzI
 sTLwRZxJf0mVaZoDapujrIZuyh1ih9B1pWMmiFtxGrzlESRPyB4EzfeiSVft3o+x5CjJOggyq
 pjD1Rn6W1wpDEGDEg9QkvZjyi/I=
Received-SPF: pass client-ip=212.227.15.15; envelope-from=scdbackup@gmx.net;
 helo=mout.gmx.net
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jan 2023 11:56:13 -0000

Hi,

i created another bad ISO which i expect to lead to an endless loop in
existing GRUB (i.e. before applying the proposed change).

Both ISOs can be downloaded as gzip-compressed files now:

  http://scdbackup.webframe.org/ce_loop.iso.gz
  SHA256: d86b73b0cc260968f50c30a5207b798f5fc2396233aee5eb3cedf9cef069f3c2

  http://scdbackup.webframe.org/ce_loop2.iso.gz
  SHA256: a6bde0c1562de8959d783bca0a79ad750da2bc129bdea2362b4a7c3e83426b2c

They are smaller than 1 KB and expand to 128 KiB, each.

(Please do not load these ISOs into existing xorriso programs by commands
like -indev. ce_loop.iso leads to SIGSEGV. ce_loop2.iso leads to an
endless loop. The libisofs code fix is only in git for now.)

=2D-----------------------------------------------------------------------
Test proposals for GRUB:

If reading ce_loop.iso by GRUB leads to an error message, then my proposed
change is in effect and protected against endless loops.
Original GRUB is supposed to just ignore that situation, because it skips
over the CE entry by mistake.

If reading ce_loop2.iso by GRUB leads to an error message, then the
proposed safety precaution against endless loops is in effect.
I expect unpatched GRUB to loop endlessly with this ISO.

=2D-----------------------------------------------------------------------
About the production of ce_loop2.iso:

The CE entry of its file /x points to a dummy SUSP entry XY of length 8
which sits directly before the CE entry. So this dummy entry is the
first to be read by GRUB from the pseudo-contination area, gets processed
by the hook() function (with no side effects), and is then followed by
the CE entry.
Because of the existence of the XY entry, i expect the CE entry not to
be skipped by existing GRUB.

  # Production begins by the bad ISO of January 9 where the CE entry
  # points to itself
  cp ce_loop.iso ce_loop2.iso

  # Cut out a copy of the bad CE entry
  dd if=3Dce_loop2.iso bs=3D1 skip=3D102734 count=3D28 of=3Dce_entry

  # After the CE entry is plenty of unused space in the same block.
  # The length of the directory entry of /x plus 8 will not exceed 255.
  # So put the copy back with an offset of 8 bytes.
  dd if=3Dce_entry bs=3D1 seek=3D102742 conv=3Dnotrunc of=3Dce_loop2.iso

  # Rename the old CE entry head to XY
  echo "XY" | dd bs=3D1 seek=3D102734 count=3D2 conv=3Dnotrunc of=3Dce_loo=
p2.iso

  # Give it the length of 8
  echo $'\x08' | dd bs=3D1 seek=3D102736 count=3D1 conv=3Dnotrunc of=3Dce_=
loop2.iso

  # Set in the new CE entry the continuation area length to 8 + 28 =3D 36
  echo $'\x24' | dd bs=3D1 seek=3D102762 count=3D1 conv=3Dnotrunc of=3Dce_=
loop2.iso
  echo $'\x24' | dd bs=3D1 seek=3D102769 count=3D1 conv=3Dnotrunc of=3Dce_=
loop2.iso

  # Change the length of the directory record from 134 to 142
  echo $'\x8e' |  dd bs=3D1 seek=3D102628 count=3D1 conv=3Dnotrunc of=3Dce=
_loop2.iso

The resulting bytes of the whole directory record of /x are then:

000190e0 :    ..  ..  ..  ..  8e  00  37  00  00  00  00  00  00  37  02  =
00
               .   .   .   .           7                           7
  102624 :   ... ... ... ... 142   0  55   0   0   0   0   0   0  55   2  =
 0

000190f0 :    00  00  00  00  00  02  7b  01  09  08  08  1c  00  00  00  =
00
                                       {
  102640 :     0   0   0   0   0   2 123   1   9   8   8  28   0   0   0  =
 0

00019100 :    01  00  00  01  04  58  2e  3b  31  00  50  58  24  01  a4  =
81
                                   X   .   ;   1       P   X   $
  102656 :     1   0   0   1   4  88  46  59  49   0  80  88  36   1 164 1=
29

00019110 :    00  00  00  00  81  a4  01  00  00  00  00  00  00  01  e8  =
03

  102672 :     0   0   0   0 129 164   1   0   0   0   0   0   0   1 232  =
 3

00019120 :    00  00  00  00  03  e8  e8  03  00  00  00  00  03  e8  54  =
46
                                                                       T  =
 F
  102688 :     0   0   0   0   3 232 232   3   0   0   0   0   3 232  84  =
70

00019130 :    1a  01  0e  7b  01  09  08  08  1c  00  7b  01  09  08  08  =
2f
                           {                           {                  =
 /
  102704 :    26   1  14 123   1   9   8   8  28   0 123   1   9   8   8  =
47

00019140 :    00  7b  01  09  08  08  1c  00  4e  4d  06  01  00  78  58  =
59
                   {                           N   M               x   X  =
 Y
  102720 :     0 123   1   9   8   8  28   0  78  77   6   1   0 120  88  =
89

00019150 :    08  01  32  00  00  00  43  45  1c  01  32  00  00  00  00  =
00
                       2               C   E           2
  102736 :     8   1  50   0   0   0  67  69  28   1  50   0   0   0   0  =
 0

00019160 :    00  32  4e  01  00  00  00  00  01  4e  24  00  00  00  00  =
00
                   2   N                           N   $
  102752 :     0  50  78   1   0   0   0   0   1  78  36   0   0   0   0  =
 0

00019170 :    00  24  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  =
..
                   $   .   .   .   .   .   .   .   .   .   .   .   .   .  =
 .
  102768 :     0  36 ... ... ... ... ... ... ... ... ... ... ... ... ... .=
..

=2D-----------------------------------------------------------------------

Have a nice day :)

Thomas