From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1pIB9N-0007va-Tm for mharc-grub-devel@gnu.org; Wed, 18 Jan 2023 11:18:57 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pIB9B-0007uw-50 for grub-devel@gnu.org; Wed, 18 Jan 2023 11:18:52 -0500 Received: from mout.gmx.net ([212.227.15.18]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pIB98-0004TB-LP for grub-devel@gnu.org; Wed, 18 Jan 2023 11:18:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1674058706; bh=3O3Up2opPPF5vxv1HBflffFmHgRgXVVNGtEq/99oJ/I=; h=X-UI-Sender-Class:Date:From:To:Subject:Cc:References:In-Reply-To; b=JEV+zu23RjyR6WRxNl2pzjYPWnYZvhnAiV6X1CXY/f8tvMAr59aMZm4yLWZpSoBiU Emuc/rgLGQKb7THxP8Tz/QTrgq16E7TTxs5GOvBorpKd3ylPmhnReTIDyCcBxMwjpY hR/B8FH/iNFSNZAbd3ctAR3zisxxcB0olOYltRlCK3Bf73xn5sYDZk8JQz83Uu03SD C6n1zokVRLzxAQje8Z1dObMZAE3p33SX0wicqf9GQ9Nn0xbgRdY1fEEqRlWM4IDUaf ragGjHZ2K2r2dxh5rUwEs4iV/xc4vzE4RWk/SOweXHIfHzURKK6+9uSPVfiOUxuC26 4cxy69n5lMoNQ== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from scdbackup.webframe.org ([84.179.236.73]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MO9zH-1p361z2aO9-00OX3G; Wed, 18 Jan 2023 17:18:26 +0100 Date: Wed, 18 Jan 2023 17:17:35 +0100 From: "Thomas Schmitt" To: grub-devel@gnu.org Subject: Re: [PATCH v2 4/5] fs/iso9660: Incorrect check for entry boundary Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Cc: lidong.chen@oracle.com, fengtao40@huawei.com, yanan@huawei.com, daniel.kiper@oracle.com, lichenca2005@gmail.com References: In-Reply-To: Message-Id: <1268139303184377731@scdbackup.webframe.org> X-Provags-ID: V03:K1:HrZNMj32NWuQYs2Bw6OUwYGlzlxUrbvUDvcVd4E9hnHGO0iFV6R cLhUzw/Cz+IKf6VvXZkKQd69llPW3f6aswYAuUONllSSRzIyI0vYBGHUipIILzJ8GMsKIyJ StQFkZOLjf7RDZTzG+QS9uQ5PUA95qRhfvoJSI+UhVX05sr5AUyyBvjIYmI85XYy3jFRGf7 MukJUKo1ImYmXO4w2wW+A== UI-OutboundReport: notjunk:1;M01:P0:fdNOK361wJE=;AMt6mCV3Z2Y8uEDCfmxfCbxlXpk bUWAJ4XvEF9hSiY2HI5dolzMJs/uirNnRyXPq2WAYZwqfiK6VnvX3n217+TRfCIyA4tstz5JB +HGkBX/ski9rLYVf1zO3JpKFAOr79pqrrHcJQHdpQbbiZQyQuVd07VQnsQZBQ8zxHJuwMC86I QIOX4pVAt2y2Z9OT8fQ8Bu6XkWWjy46kgq4aCXUp++oX+FVvG+Vl/rTMi3sOm8bfJnVDlpOjz qy9RlgPuiO1AVfptw2Oi3gnWlQrsVYK4bZHo30oDr38IbXepAsM7Wwh22o207qFPHU9ADJdNl M93nY/vOyc3RDXuCRICX+CLeIJBce+pNW0NVtodNI26qt+8XxW4BSbNEHSSwqhgPjE1QU51tc C5BvVM+dkkrAD29TVZZ60bzbZCTtJTcEgzqb2wznRy5c4l2u40d/HUMHFW5vvuZqHgvog8Ppn PfX50KIcPff0+PFv+4jKcqW1mYF4pPzZkovVfUExbMokJAWM/B64eHMyPcdaOZkQSuXWofYcQ J1p4KKHJr5Y6fVY/GVvjZfrM+tSh/drlAuPWh51iDCKfHmmdmdA1LZczWnvM3gQF6Je5hJ1ND /LO9JcH96E8UgjLUJp/UJ5DkSy90LEI3FjgX79NbsIclj0TJ45/EJefp4sMreJ/jeHXUu+Qhj TPxwqlN5ca6J1Qqx88E++Fbn0xxWi7E+YlpsHnplAzrgM20Uo1yTdpSbRp1df9RacTgKmdqW2 u3RlSLqUVfxqHOlBNuHCvlljSgWJUK3Czn79v3TJYstqnn9QwdWzw/sGHzcWEKEtDHvUQ6R6T 2sw8wRLS+a4dWc5TbaH9F1f3UFCH28w07eKk2+DeRBtTQ6yTAK0QG0faJheshiWtEz163NyAm ua+XzqDOYKwkblx9v3sFTM9Cs/bI6LmAQJ0xtEBPFHtyWJHiRv92WL0oHZSnUczP0a2vSKY8g tzqF7LfJCejFjCRTGWgxyDkXgLI= Received-SPF: pass client-ip=212.227.15.18; envelope-from=scdbackup@gmx.net; helo=mout.gmx.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2023 16:18:52 -0000 Hi, On Wed, 18 Jan 2023 08:23:57 +0000 Lidong Chen w= rote: > An SL entry consists of the entry info and the component area. > The entry info should take up 5 bytes instead of sizeof (*entry). > The area after the first 5 bytes is the component area. It is > incorrect to use the sizeof (*entry) to check the entry boundary. > > Signed-off-by: Lidong Chen > Reviewed-by: Thomas Schmitt > --- > grub-core/fs/iso9660.c | 17 +++++++++++++++-- > 1 file changed, 15 insertions(+), 2 deletions(-) > > diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c > index c6d65fc22..ca45b3424 100644 > --- a/grub-core/fs/iso9660.c > +++ b/grub-core/fs/iso9660.c > @@ -663,10 +663,23 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *= entry, > else if (grub_strncmp ("SL", (char *) entry->sig, 2) =3D=3D 0) > { > unsigned int pos =3D 1; > + unsigned int csize; > > - /* The symlink is not stored as a POSIX symlink, translate it. *= / > - while (pos + sizeof (*entry) < entry->len) > + /* The symlink is not stored as a POSIX symlink, translate it. */ > + while ((pos + GRUB_ISO9660_SUSP_HEADER_SZ + 1) < entry->len) > { > + /* > + * entry->len is GRUB_ISO9660_SUSP_HEADER_SZ + 1 (the FLAGS) > + * + length of the "Component Area". The length of a component > + * record is 2 (pos and pos + 1) plus the "Component Content", > + * of which starts at pos + 2. entry->data[pos] is the > + * 'Component Flags'; entry->data[pos + 1] is the length > + * of the component. > + */ > + csize =3D entry->data[pos + 1] + 2; > + if (GRUB_ISO9660_SUSP_HEADER_SZ + 1 + csize > entry->len) > + break; > + > /* The current position is the `Component Flag'. */ > switch (entry->data[pos] & 30) > { > -- > 2.35.1 Reviewed-by: Thomas Schmitt Most of my initial objections towards patch 4 were wrong. What remained is taken into respect now. Have a nice day :) Thomas