From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1p5seS-0007MF-47 for mharc-grub-devel@gnu.org; Thu, 15 Dec 2022 13:08:12 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p5seP-0007Lz-Jd for grub-devel@gnu.org; Thu, 15 Dec 2022 13:08:09 -0500 Received: from mout.gmx.net ([212.227.15.15]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p5seN-0003tI-H1 for grub-devel@gnu.org; Thu, 15 Dec 2022 13:08:09 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1671127663; bh=eZUU6pukT8OyUNGZGJVNoybhg/Wh6ZUMpoGIrO0RQAw=; h=X-UI-Sender-Class:Date:From:To:Subject:Cc:References:In-Reply-To; b=eZOfPSIIumKVxXTVTw3ke/swxPSZfgFB10BR7JVkz1kryYHgAkNBICyie4QooKQ+L wuTIJBQs3Cy3JgUWiwbVrHwYQwL+NtNAut04eb6Wo4mqkdGJVX3tMhfSnVrBS0rabB pMy9Kq6EnHTfYkvUTe5ZuAYguhtMUZMsXDqEYWuMLJfFTu47E25CEAxObsDnZKnoiq /jHmI70hvEM/KocBHSP/bNuP0FjsyDLlnmmVwMBVyXf+2meLFuMGtF2+JnhTaXFkVf JCZJ695Vp9CQuI1M5IOcYTtfkr1QF2snRvFCa9X9VI5GLaYqpTMNTlZh4z2VUqMssW nax+EfZeHr9JQ== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from scdbackup.webframe.org ([84.179.236.73]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1M1psI-1p3gmd11Gi-002GoQ; Thu, 15 Dec 2022 19:07:43 +0100 Date: Thu, 15 Dec 2022 19:08:25 +0100 From: "Thomas Schmitt" To: grub-devel@gnu.org Subject: Re: [PATCH 3/4] fs/iso9660: Avoid reading past the entry boundary Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Cc: lidong.chen@oracle.com, fengtao40@huawei.com, yanan@huawei.com, daniel.kiper@oracle.com, lichenca2005@gmail.com References: <82e1f5cce08c6257d79533c1ce6076dd95cdc0ca.1671042887.git.lidong.chen@oracle.com> In-Reply-To: <82e1f5cce08c6257d79533c1ce6076dd95cdc0ca.1671042887.git.lidong.chen@oracle.com> Message-Id: <13657389958053582751@scdbackup.webframe.org> X-Provags-ID: V03:K1:dsEsVPB787pHfz+6ghOiNSHn68UIAh3JQmrV7pq9AMBm3kWGGt3 hI184RLndKc4BHrCt7lkknYpPkyHTdvG/qmWbRcDZ0EpO5SbdKU5d0k7kZr3SJrlAfbizYy 6IniR67tOd7+z2goSLE5+IE9wd+pqESYxprgcxKJfatpxxW0B7EoX33c4zMCGZxSSJyaUHz AlPV+E1j33q0s+tzgxKgQ== UI-OutboundReport: notjunk:1;M01:P0:fdPN8w86i2M=;PWq8jp59rqy52fKyYxcbZrBfbdQ o/RsHP9+lgBBeLpYtTetQxcw3096jNXv6LRp9JkC4aBBfJoQzl8w+u2TefxCjTmWWvj5bViOV w6np7qbZ6H92Pfas8VhHhr39axLUHY/iubi8hNCuF2oKObc/mksq4Ll10h1gxGyV2oinypefe e7G9QkDs60T5V+6HXCqHr8rWClicC7uy6vjTKh6Qm5PE6Rwc+DTLbwbwxhazTcXCuDyfCZr6N wnAjyNQlr5SNRFkHMCCanx9fZ5grVUXkVon8GgOMDUOc33WiLxJB/UMn4YZyR/YnLwggG07e7 7mdVShR+x2gGol3hQVyAcij9QY+0VRHyNdf2TlPdeVCeuHKMAn1kMi+InTF2en8iu9Z9JiyBJ Udkk+vRpmZp0cWhslM7mqgAhQM/dMRADCfWTdJPfP2cus8LMCnmDFnSHBOG8cDxKIkRrTPTWp +i83EnG623TseeaI4NuyfaMgLrR2E5jZAiIWWie2d58HM9k1oC2jcn62HopgRYrOw0+E2WVz8 bCeLZAgNRZb2hB6X239ItObrqDDRKn6n54TvZPRQNqaBW5YiwHQ92YYoKQy9Bc1g/oxAQjSNe YhKPdaaoKOLoNbly5oYASct0lJ0xLC6JPIHDYmcDMdeLRM0txP+qiD1RDD7476IrgQwHglgNe rkJiWWioZKiCr1JgJtr3NMEG0qoxKh4HJpD4kmjp6RLeVCroy/rjMIh0nw5j86+SAOFvk1bsN QQ4dL+ZPxy3IHmZrElWniK/URHprab8HU8n2T0g7X3xzx85NwCid8lR89TDugbM8AvRMkB7zi F3j/f1MGUB/bA0So99ncej6kR4dI03cg0pEtWIdvGh7UUIhgSz9ubrVUtDmym9xkvkdjKi2ir u0HOKeCs3NDMFlcpt1LzV7D02UvAceAqTYjQ9AvgMJ4sSTnzfRhQvvDAjkggjD4EukaNM+mTS ZuZLlw== Received-SPF: pass client-ip=212.227.15.15; envelope-from=scdbackup@gmx.net; helo=mout.gmx.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2022 18:08:10 -0000 Hi, On Wed, 14 Dec 2022 18:55:04 +0000 Lidong Chen wr= ote: > Added a check for the SP entry data boundary before reading it. > > Signed-off-by: Lidong Chen > --- > grub-core/fs/iso9660.c | 16 ++++++++++++++-- > 1 file changed, 14 insertions(+), 2 deletions(-) > > diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c > index 9170fa820..67aa8451c 100644 > --- a/grub-core/fs/iso9660.c > +++ b/grub-core/fs/iso9660.c > @@ -408,6 +408,9 @@ set_rockridge (struct grub_iso9660_data *data) > if (!sua_size) > return GRUB_ERR_NONE; > > + if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ) As mentioned in my review of patch [2/4], GRUB_ISO9660_SUSP_HEADER_SZ shou= ld be defined as 4, rather than as 5. Else entry RE could trigger this error: > + return grub_error (GRUB_ERR_BAD_FS, "invalid rock ridge entry size"= ); > + > sua =3D grub_malloc (sua_size); > if (! sua) > return grub_errno; > @@ -434,8 +437,17 @@ set_rockridge (struct grub_iso9660_data *data) > rootnode.have_symlink =3D 0; > rootnode.dirents[0] =3D data->voldesc.rootdir; > > - /* The 2nd data byte stored how many bytes are skipped every time > - to get to the SUA (System Usage Area). */ > + /* > + * The 2nd data byte stored how many bytes are skipped every time > + * to get to the SUA (System Usage Area). > + */ > + if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ + 2 || > + entry->len < GRUB_ISO9660_SUSP_HEADER_SZ + 2) This interprets an SP entry, which is specified to have 7 bytes. So if GRUB_ISO9660_SUSP_HEADER_SZ gets corrected to 4, then the size deman= d will have to be (GRUB_ISO9660_SUSP_HEADER_SZ + 3). Like with the NM interpretation i would rather prefer a plain "7", maybe w= ith a comment which says that this is the fixed size of SP (version 1). > + { > + grub_free (sua); > + return grub_error (GRUB_ERR_BAD_FS, "corrupted rock ridge entry"); > + } > + > data->susp_skip =3D entry->data[2]; > entry =3D (struct grub_iso9660_susp_entry *) ((char *) entry + en= try->len); > > -- > 2.35.1 > Reviewed-by: Thomas Schmitt But the expression (GRUB_ISO9660_SUSP_HEADER_SZ + 2) will need correction = if my wish for #define GRUB_ISO9660_SUSP_HEADER_SZ 4 gets fulfilled. As said, i'd prefer a plain "7". Have a nice day :) Thomas