From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1p5sOT-0007OA-OZ for mharc-grub-devel@gnu.org; Thu, 15 Dec 2022 12:51:41 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p5sOR-0007Kj-Mc for grub-devel@gnu.org; Thu, 15 Dec 2022 12:51:39 -0500 Received: from mout.gmx.net ([212.227.15.15]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p5sOP-0004dl-US for grub-devel@gnu.org; Thu, 15 Dec 2022 12:51:39 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1671126680; bh=68f6tqQsScIt+Ot2LKid0XD6u+Ad6XLVvH57AQjEocA=; h=X-UI-Sender-Class:Date:From:To:Subject:Cc:References:In-Reply-To; b=SXyJBhB6JVpol/VcpCZSP+jDzkDeWTcmT0Btvl5fjn/Mg/zKV3fIcLg61cgazQFL7 S62xW8GimtUx+ghfe1kI/yaHlSP3VXgy3FLbM6R4E5mlJqAp+tJMiGtdBlzfTodjvV HeWrBDuGhME43a93zAbjhw2JgBDiz+YlxOjd0q7x3hnKglrCkFd0Kupn5AVLtxlI5y B7HdzX+8myl5Sj2toMZLlsXa27kBrEqvOIvlZf8yCvICIspkw9JW2ErE68T4hbBPWN Hd/OmORB/8okDmCAGTqBdAqs8+7UbEGW0F8rizB8HGwKLBemVpy8tPhnpljMqv5+f3 KCnuf9pl6U5Tg== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from scdbackup.webframe.org ([84.179.236.73]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MOA3P-1pGVVp2ndp-00OTjn; Thu, 15 Dec 2022 18:51:20 +0100 Date: Thu, 15 Dec 2022 18:52:03 +0100 From: "Thomas Schmitt" To: grub-devel@gnu.org Subject: Re: [PATCH 1/4] fs/iso9660: Add check to prevent infinite loop Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Cc: lidong.chen@oracle.com, fengtao40@huawei.com, yanan@huawei.com, daniel.kiper@oracle.com, lichenca2005@gmail.com References: <051b96eed3414ebdc2efd8a6913ec40a769b3bd4.1671042887.git.lidong.chen@oracle.com> In-Reply-To: <051b96eed3414ebdc2efd8a6913ec40a769b3bd4.1671042887.git.lidong.chen@oracle.com> Message-Id: <27083389969407111378@scdbackup.webframe.org> X-Provags-ID: V03:K1:OojGw8ue4rI09bZ9CrIDPGIxLjeT9B8+UfHTFYv9r/ZsQRbDz0m vEywysUxrhe4pzGGAM808hc/WfNlaJ9u1qPrJanXA227NmvBVFPX0ZEpnsZJJ59fxGAH+d3 k7z6bS+gd+vLkx9T+MONNwcJwnYAv1Pj4vuovAL+JzES0qGIGhU+6D77DdwXqG2uQwfWpsR FxWZwpsL04xtcjJl+ug3A== UI-OutboundReport: notjunk:1;M01:P0:Vl5f8FasAxA=;FX19kNQ9cutsC0Da4xax+0vz90I SAD5eqJMQOIOG682Utpgx+4X7iDx/eTqbTS2TZdTbGboTpuOORRRwdkehF6jFpwo+LIZJhr3o zSxH5+Kjs28zGLqNGVpH1fL2gfYyTni2DLu6/JQjhYRZfBTMNwbyVgJur6zkciO+tN7wULo5T sNc34wjoWW/DGYoneShZMjpGGKYp8nwEYszvnh8DANWg2HmyH2xApldofQdWJi/91QZfWjf7C FgEM7zO0RKgCjJlheCSI8CpXz+UOPfHd+Yy25WPVMZtRtz8XWB7NoMdIc/po9hFGwwT9SE7jL N7IEir8XGRmHN3wwJf5SW6SHdZR0cV0H93Gr8ACY7oM8Dmf8y/FBuT8F+cjGiM2SduSTeSS7y vd0Nw8z5q0KeLMCAqQajLyhoRgjDiBNrWeMrfPyL8XiDT6+13VFsjfhGlHzyy0h3KyS1gIKf+ q6RT2fPF8YDeFMZfTlWhYWyxFXGu4n7oSbOjFdcLOKfpMkAVHJai22JtyL/ELPXSTAoym10hs fv0aFgDi2zCKovMNngK+ziEDlB/KB5hOkP8FMau4bjhcbtyrH10gzTAvmjCTwuzCs2flKeKkE VYAOCkuXFnWlBdb30/nG6/BwOgbhcMgvrbFNaLPt8kH4YJnsmIxjjKpuLkQHjMay78pYcvMGH OXluMZGMpsJiGZqZmkaVBsem9vUEc4jv62iGwVp/DSoQDNjP9pHF4zRIIhxuasuWQyBV1wa0P 1TJI2pdG1oqLcJZ6VLOmMOHYSttssQ8Xsu5Ab84wjqJj+9uphL3WLc4eZodFn5CUybS8HxKC+ 4jtEnDJp2voD4ld0a52ndG+fihlnAQ3jWUEf1n34nZw6uDxZykiWayYM5iR0eQUTEoamH1NIj +sraac56U+fHV1zOtSu4P3KAsvIfiLTXmoh9BC2tpxwp4Hwa+9mMM6bFMevq3eLICGbQoi7OO nxXbTw== Received-SPF: pass client-ip=212.227.15.15; envelope-from=scdbackup@gmx.net; helo=mout.gmx.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2022 17:51:39 -0000 Hi, On Wed, 14 Dec 2022 18:55:02 +0000 Lidong Chen wr= ote: > There is no check for the end of block When reading s/When/when/ > directory extents. It resulted in read_node() always > read from the same offset in the while loop, thus > caused infinite loop. The fix added a check for the > end of the block and ensure the read is within directory > boundary. > > Signed-off-by: Lidong Chen > --- > grub-core/fs/iso9660.c | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > > diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c > index 91817ec1f..4f4cd6165 100644 > --- a/grub-core/fs/iso9660.c > +++ b/grub-core/fs/iso9660.c > @@ -795,6 +795,15 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir, > while (dirent.flags & FLAG_MORE_EXTENTS) > { > offset +=3D dirent.len; > + > + /* offset should within the dir's len. */ > + if (offset > len) > + { > + if (ctx.filename_alloc) > + grub_free (ctx.filename); > + return 0; > + } > + > if (read_node (dir, offset, sizeof (dirent), (char *) &dirent)) > { > if (ctx.filename_alloc) > @@ -802,6 +811,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir, > grub_free (node); > return 0; > } > + > + /* > + * It is either the end of block or zero-padded sector, > + * skip to the next block. > + */ > + if (!dirent.len) > + { > + offset =3D (offset / GRUB_ISO9660_BLKSZ + 1) * GRUB_ISO9660_BLKSZ; > + dirent.flags |=3D FLAG_MORE_EXTENTS; > + continue; > + } > + > if (node->have_dirents >=3D node->alloc_dirents) > { > struct grub_fshelp_node *new_node; > -- > 2.35.1 > Reviewed-by: Thomas Schmitt The second hunk will become very necessary when more initrds >=3D 4 GiB wi= ll be around. Then GRUB might more probably encounter directory records of a large file which are not stored in the same block. (Are we aware of the file size limit of 32 GiB - 14 KiB - 1 imposed by struct grub_fshelp_node { ... struct grub_iso9660_dir dirents[8]; ... } ? ) Have a nice day :) Thomas