From: "Thomas Schmitt" <scdbackup@gmx.net>
To: grub-devel@gnu.org
Cc: lidong.chen@oracle.com, fengtao40@huawei.com, yanan@huawei.com,
daniel.kiper@oracle.com, lichenca2005@gmail.com
Subject: Re: [PATCH 3/4] fs/iso9660: Avoid reading past the entry boundary
Date: Thu, 15 Dec 2022 19:08:25 +0100 [thread overview]
Message-ID: <13657389958053582751@scdbackup.webframe.org> (raw)
In-Reply-To: <82e1f5cce08c6257d79533c1ce6076dd95cdc0ca.1671042887.git.lidong.chen@oracle.com>
Hi,
On Wed, 14 Dec 2022 18:55:04 +0000 Lidong Chen <lidong.chen@oracle.com> wrote:
> Added a check for the SP entry data boundary before reading it.
>
> Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
> ---
> grub-core/fs/iso9660.c | 16 ++++++++++++++--
> 1 file changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
> index 9170fa820..67aa8451c 100644
> --- a/grub-core/fs/iso9660.c
> +++ b/grub-core/fs/iso9660.c
> @@ -408,6 +408,9 @@ set_rockridge (struct grub_iso9660_data *data)
> if (!sua_size)
> return GRUB_ERR_NONE;
>
> + if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ)
As mentioned in my review of patch [2/4], GRUB_ISO9660_SUSP_HEADER_SZ should
be defined as 4, rather than as 5. Else entry RE could trigger this error:
> + return grub_error (GRUB_ERR_BAD_FS, "invalid rock ridge entry size");
> +
> sua = grub_malloc (sua_size);
> if (! sua)
> return grub_errno;
> @@ -434,8 +437,17 @@ set_rockridge (struct grub_iso9660_data *data)
> rootnode.have_symlink = 0;
> rootnode.dirents[0] = data->voldesc.rootdir;
>
> - /* The 2nd data byte stored how many bytes are skipped every time
> - to get to the SUA (System Usage Area). */
> + /*
> + * The 2nd data byte stored how many bytes are skipped every time
> + * to get to the SUA (System Usage Area).
> + */
> + if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ + 2 ||
> + entry->len < GRUB_ISO9660_SUSP_HEADER_SZ + 2)
This interprets an SP entry, which is specified to have 7 bytes.
So if GRUB_ISO9660_SUSP_HEADER_SZ gets corrected to 4, then the size demand
will have to be (GRUB_ISO9660_SUSP_HEADER_SZ + 3).
Like with the NM interpretation i would rather prefer a plain "7", maybe with
a comment which says that this is the fixed size of SP (version 1).
> + {
> + grub_free (sua);
> + return grub_error (GRUB_ERR_BAD_FS, "corrupted rock ridge entry");
> + }
> +
> data->susp_skip = entry->data[2];
> entry = (struct grub_iso9660_susp_entry *) ((char *) entry + entry->len);
>
> --
> 2.35.1
>
Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>
But the expression (GRUB_ISO9660_SUSP_HEADER_SZ + 2) will need correction if
my wish for
#define GRUB_ISO9660_SUSP_HEADER_SZ 4
gets fulfilled. As said, i'd prefer a plain "7".
Have a nice day :)
Thomas
next prev parent reply other threads:[~2022-12-15 18:08 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-14 18:55 [PATCH 0/4] fs/iso9660: Fix out-of-bounds read Lidong Chen
2022-12-14 18:55 ` [PATCH 1/4] fs/iso9660: Add check to prevent infinite loop Lidong Chen
2022-12-15 17:52 ` Thomas Schmitt
2022-12-19 8:16 ` Lidong Chen
2022-12-19 9:42 ` Thomas Schmitt
2022-12-14 18:55 ` [PATCH 2/4] fs/iso9660: Prevent read past the end of system use area Lidong Chen
2022-12-15 18:00 ` Thomas Schmitt
2022-12-19 8:39 ` Lidong Chen
2022-12-16 8:54 ` Thomas Schmitt
2022-12-16 9:42 ` Proposal: fs/iso9660: Prevent skipping CE or ST at start of continuation area Thomas Schmitt
2022-12-16 12:57 ` Proposal v2: " Thomas Schmitt
2022-12-20 21:08 ` Lidong Chen
2023-01-06 5:30 ` Lidong Chen
2023-01-06 16:00 ` Thomas Schmitt
2023-01-09 7:34 ` Lidong Chen
2023-01-09 9:32 ` Thomas Schmitt
2023-01-11 11:54 ` Thomas Schmitt
2023-01-12 5:28 ` Lidong Chen
2023-01-12 8:45 ` Thomas Schmitt
2022-12-14 18:55 ` [PATCH 3/4] fs/iso9660: Avoid reading past the entry boundary Lidong Chen
2022-12-15 18:08 ` Thomas Schmitt [this message]
2022-12-19 8:42 ` Lidong Chen
2022-12-14 18:55 ` [PATCH 4/4] fs/iso9660: Incorrect check for entry boudary Lidong Chen
2022-12-15 18:20 ` Thomas Schmitt
2022-12-19 21:00 ` Lidong Chen
2022-12-20 9:21 ` Thomas Schmitt
2022-12-14 21:42 ` [PATCH 0/4] fs/iso9660: Fix out-of-bounds read Thomas Schmitt
2022-12-19 8:07 ` Lidong Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=13657389958053582751@scdbackup.webframe.org \
--to=scdbackup@gmx.net \
--cc=daniel.kiper@oracle.com \
--cc=fengtao40@huawei.com \
--cc=grub-devel@gnu.org \
--cc=lichenca2005@gmail.com \
--cc=lidong.chen@oracle.com \
--cc=yanan@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.