From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.90_1)
	id 1mRKTl-0006wA-Gg
	for mharc-grub-devel@gnu.org; Fri, 17 Sep 2021 16:29:01 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:60078)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <development@efficientek.com>)
 id 1mRKTj-0006uD-Eu
 for grub-devel@gnu.org; Fri, 17 Sep 2021 16:28:59 -0400
Received: from mail-il1-x129.google.com ([2607:f8b0:4864:20::129]:46671)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <development@efficientek.com>)
 id 1mRKTh-0006uZ-G9
 for grub-devel@gnu.org; Fri, 17 Sep 2021 16:28:59 -0400
Received: by mail-il1-x129.google.com with SMTP id h20so11537696ilj.13
 for <grub-devel@gnu.org>; Fri, 17 Sep 2021 13:28:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=efficientek-com.20210112.gappssmtp.com; s=20210112;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=C08n+7gBopoptwYnHdCzoS7JKMmd/c3O4HyBbB5kKtY=;
 b=pT7g+XsygbVYLx5hiM9NDpn0WqqSFc28skEYhxkC04DyHjf5o8YoHrP+/A8u8W1Trd
 BtU82Ia++sF4KejofK2rewPwATaiRBApsNn83elVK8XJtz50poLdlFDKAldOdo7qJfaU
 /LQtnQUXioP+MTrBJHoxaMmLAEWgT9X9O3+ziFtIa2Nqc5Vx1yNG6gu+Edl8h2XejFzj
 muBArXoc1dSx6KVqXPEiyeXImtiKZSfLYNG7z88rX6nZ967a7tTppmbKYSYmtIWkmyX6
 WzWiFUI7igDhVdXzD4oBhZbfrjtlc6abo7MJOiAYsD8XNLdKSlUWOWqKAVzM0zz5Yk8e
 /ndQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=C08n+7gBopoptwYnHdCzoS7JKMmd/c3O4HyBbB5kKtY=;
 b=fsZIQFM/MvJUYrq1uQX23OrezvTJnxGiy0zl7J8nSsQQoM1Iw7fTPGZ7Qtt2AZ5uwt
 0zQfARHmwbp7MDTRdJZIq3qohsjlmQ0oke+5cwYANBraXxBKIHLiM6VlBOTprFPZbU5E
 nXoEg0IHcmv2UtiQyM8tnFw0Co3EY9V6oEhZ4CrSe/lPkHzbdOvPa9EJegvmJ1FDLcCH
 bEZ2FB5jIwJ/51iaP5i06abLUGGEKlNTN1UG30JamRl9Q1jcSt8YOtY3nMihRRo1p80c
 PK72wTBxkTrSNfgI+eoAlTw4CfJZBrwPl4EN7S48Umo3cFYYz2NDI4mW/xM5GaUDh4La
 Y4bw==
X-Gm-Message-State: AOAM531XUgVY7nUHRUWOJDBaf3gVNax3fxAAmKpRTFepESgSNUsWrP7o
 VZjx23WL3nQPoSJ82U0P0O2+GA==
X-Google-Smtp-Source: ABdhPJxNTeF8HEmv9xkf29Fq1a5wsiPNYds6b0Ickc7I4owMeDeG8KN8voJwpOyttK5pkF9Uj0F0CA==
X-Received: by 2002:a92:444e:: with SMTP id a14mr9549966ilm.152.1631910535586; 
 Fri, 17 Sep 2021 13:28:55 -0700 (PDT)
Received: from localhost.localdomain ([2806:103e:1d:2421:9e05:7c55:51:e84b])
 by smtp.gmail.com with ESMTPSA id d14sm4329256iod.18.2021.09.17.13.28.53
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 17 Sep 2021 13:28:54 -0700 (PDT)
From: Glenn Washburn <development@efficientek.com>
To: Daniel Kiper <daniel.kiper@oracle.com>
Cc: Glenn Washburn <development@efficientek.com>,
	grub-devel@gnu.org
Subject: [PATCH v2] udf: Fix regression which is preventing symlink access
Date: Fri, 17 Sep 2021 20:28:05 +0000
Message-Id: <20210917202805.1582079-1-development@efficientek.com>
X-Mailer: git-send-email 2.32.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2607:f8b0:4864:20::129;
 envelope-from=development@efficientek.com; helo=mail-il1-x129.google.com
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Sep 2021 20:29:00 -0000

This code was broken by commit 3f05d693 ("malloc: Use overflow checking
primitives where we do complex allocations"), which added overflow checking
in many areas. The problem here is that the changes update the local
variable sz, which was already in use and which was not updated before the
change. So the code using sz was getting a different value of than it would
have previously for the same UDF image. This causes the logic getting the
destination of the symlink to not realize that its gotten the full
destination, but keeps trying to read past the end of the destination. The
bytes after the end are generally NULL padding bytes, but that's not a
valid component type (ECMA-167 14.16.1.1). So grub_udf_read_symlink branches
to error logic, returning NULL, instead of the symlink destination path.

The result of this bug is that the UDF filesystem tests were failing in the
symlink test with the grub-fstest error message:

    grub-fstest: error: cannot open `(loop0)/sym': invalid symlink.

This change stores the result of doubling sz in another local variable s,
so as not to modify sz. Also remove unnecessary grub_add, which increased
the output by 1, persumably to account for a NULL byte. This isn't needed
because an output buffer of size twice sz is already guaranteed to be more
than enough to contain the path components converted to UTF-8. The value of
sz contains at least 4 bytes for the path component header (ECMA-167
14.16.1), which means that 2*4 bytes are allocated but will not be used for
UTF-8 characters, so the NULL byte is accounted for.

Signed-off-by: Glenn Washburn <development@efficientek.com>
---
 grub-core/fs/udf.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
index 2ac5c1d00..4ff97021c 100644
--- a/grub-core/fs/udf.c
+++ b/grub-core/fs/udf.c
@@ -1022,7 +1022,7 @@ grub_udf_iterate_dir (grub_fshelp_node_t dir,
 static char *
 grub_udf_read_symlink (grub_fshelp_node_t node)
 {
-  grub_size_t sz = U64 (node->block.fe.file_size);
+  grub_size_t s, sz = U64 (node->block.fe.file_size);
   grub_uint8_t *raw;
   const grub_uint8_t *ptr;
   char *out = NULL, *optr;
@@ -1035,11 +1035,19 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
   if (grub_udf_read_file (node, NULL, NULL, 0, sz, (char *) raw) < 0)
     goto fail_1;
 
-  if (grub_mul (sz, 2, &sz) ||
-      grub_add (sz, 1, &sz))
+  /*
+   * Local sz is the size of the symlink file data, which contains a sequence
+   * of path components (ECMA-167 14.16.1) representing the link destination.
+   * This size is an upper-bound on the number of bytes of a contained and
+   * potentially compressed UTF-16 character string. Allocate 2*sz for the
+   * output buffer containing the string converted to UTF-8 because the
+   * resulting string can not be more than double the size (2-byte unicode
+   * code points will be converted to a maximum of 3 bytes in UTF-8).
+   */
+  if (grub_mul (sz, 2, &s))
     goto fail_0;
 
-  out = grub_malloc (sz);
+  out = grub_malloc (s);
   if (!out)
     {
  fail_0:
@@ -1051,7 +1059,6 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
 
   for (ptr = raw; ptr < raw + sz; )
     {
-      grub_size_t s;
       if ((grub_size_t) (ptr - raw + 4) > sz)
 	goto fail_1;
       if (!(ptr[2] == 0 && ptr[3] == 0))
-- 
2.25.1