From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1p7CiB-00080B-85 for mharc-grub-devel@gnu.org; Mon, 19 Dec 2022 04:45:32 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p7Ci0-0007zU-8P for grub-devel@gnu.org; Mon, 19 Dec 2022 04:45:22 -0500 Received: from mout.gmx.net ([212.227.17.20]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p7Chy-00014b-F9 for grub-devel@gnu.org; Mon, 19 Dec 2022 04:45:19 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1671442879; bh=G+2M2avdmmKPbxsm65ApoIoAO9WVyL7hGqNcUfIwJ+Y=; h=X-UI-Sender-Class:Date:From:To:Subject:Cc:References:In-Reply-To; b=Qx2JReKNmviD9pFl7GVDZRoSBnl51+l4FRHrLYemLTHQf4+sOGlkrXbnXG836SqTn xYOwlVNiBtZELCY5KUrgAyhzmc1Ixwaz8NyTYFfO1ywX6cXlg5bkuKbPyBILT/Jl0h tFqf3uCf38O/81Zk6cJilHEQbjacj18rX7CCeObtFPREKKKpRZ91v68yEgpbNb1MqE duvB5HR3gE2gG1VVMo9y4qNkp5Q9MsPs/ZlaLN8GYH6ajrYz3V6YPwqiEYEoNOkYUR zciR6Rzmsf1sBKwm1uqvwwHKtFjVjQLzcjfQ/fwBcjb6VUTkSnyaWAmbI0regYtart qtko7/mcyQUqg== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from scdbackup.webframe.org ([84.179.236.73]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MiJVG-1oeBHU3yNi-00fWCi; Mon, 19 Dec 2022 10:41:19 +0100 Date: Mon, 19 Dec 2022 10:42:11 +0100 From: "Thomas Schmitt" To: grub-devel@gnu.org Subject: Re: [PATCH 1/4] fs/iso9660: Add check to prevent infinite loop Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Cc: lidong.chen@oracle.com, fengtao40@huawei.com, yanan@huawei.com, daniel.kiper@oracle.com, lichenca2005@gmail.com References: <2C72150C-2AB5-4CFD-87AE-8EC1F2F88852@ORACLE.COM> In-Reply-To: <2C72150C-2AB5-4CFD-87AE-8EC1F2F88852@ORACLE.COM> Message-Id: <28201386210511202036@scdbackup.webframe.org> X-Provags-ID: V03:K1:J25G9yXvMAT/F51GZpYlkemK50aFD+KXLiBP+Vdi8XqS4f5Lt/u u3Ne+xR2/RuO15kMoIL1plqKt+sS34b6oSOP6n1zd4jeF71OSSggoX816Amh1NFrjkIrkoH GbpcmhFOkW/V7ts0R9mdROLQojmc2PHYR6LxZE7nQ5jrpjiAuZDCYPsGdQMQNIscYdppTRs UO79GiMvYkmDLYBxH2mgw== UI-OutboundReport: notjunk:1;M01:P0:wyDrHAORCAc=;YY1Sg1NevFv+rdePXVlC+a7iQQv +9B0Vu3/t4TDuW5hz/TYr7QlnWQ45l7j9ALtb4D3lsBOy/55nO5Z7UgNimKoxh2EC9Ibdj86q WAqMMSoYqBAIJmLOzAZE7jnCMHY5ESI/CSjkqy9vX2lI0rzd8pCieI5PvhWmcqQrtQ6/MpJ/n 5bP+++iUO0mvtvv1czsNx6nAHauwX2/BaIKzF64zkcutv0JaP8jXGZe29a1bwyVoJa9L2JYrM D/TL4iWnz36vKh6g3HdCtEBtwZFDhgN0G/SflRCGwVSpjnuHbQswWkawB1gJtGEWXnuq7g+2O ERlWTFMeMEd9njysd5odkZUIxMjcYw35pGt07UB+aPUMpgh011HAtVpMi0TVsthZ0KF6Bgw8o X4YV+cUCd4aXni+z6UXskMgQ3PPE0GogxQyQrCEizJ80l9uXtGxXUbDDo/rEZO8tOBTbrzC4d ycazSya+YG7YTjyA12bE3E2LhkQ1mAssv3hshozZBwn0xkP6zzmKsYRDRVTH8GrB6vvGymtMh 5jMPb/Yyj5GUfbqcTCnaED5pSj1bFRTkyzd4BUI9kvsVfk/U06UpiUDBOy/3OdihXF0DQj3RL mbDSxLcekWttMoY/v/cukkuKi7MQji/lHukd+XrWbt6Ms04V0wCQtHs3yVcOCFKR+5QaGXLOI 1Jh5IleqZXhCfnyeBxTggQexphuaYx0JwuQ7H8LwdgDqFdV75bo030a576/q7lzmLwZoSE0G6 OdfH0QXjLePwiB5fb9gpCBX47j5FGHAR2fJN8dpjmBVDOYUfd/eEMiTm/r7dX2rwjV1jTW6K2 SIUDZaWKHUlSapLJrwcDSoq/PVndLdl+GvvDaOLRbxITWBpc3fobJLyJ2Gqp/5scQRHyoQvTJ 8BHtbbv1ni+a5QN5fnxxTeGdbrVkbjoaaSb27SPxd3kfOBS3GIOsTyg0xqWy7UYvZAfdTIkWG jBGULw== Received-SPF: pass client-ip=212.227.17.20; envelope-from=scdbackup@gmx.net; helo=mout.gmx.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2022 09:45:23 -0000 Hi, i wrote: > > (Are we aware of the file size limit of 32 GiB - 14 KiB - 1 imposed by > > struct grub_fshelp_node { ... struct grub_iso9660_dir dirents[8]; ..= . } > > ? ) Lidong Chen wrote: > I am not familiar with this file size limit. Do we need to add a check > somewhere? Good question. The answer probably disproves my statement because the struct definition seems not to match exactly its usage: Assessment happens in grub_iso9660_iterate_dir(): while (dirent.flags & FLAG_MORE_EXTENTS) { ... if (node->have_dirents >=3D node->alloc_dirents) { At this point an overflow of currently allocated .dirents[] was detected. struct grub_fshelp_node *new_node; grub_size_t sz; if (grub_mul (node->alloc_dirents, 2, &node->alloc_dirents= ) || grub_sub (node->alloc_dirents, ARRAY_SIZE (node->diren= ts), &sz) || grub_mul (sz, sizeof (node->dirents[0]), &sz) || grub_add (sz, sizeof (struct grub_fshelp_node), &sz)) goto fail_0; new_node =3D grub_realloc (node, sz); I understand the computations in the if-clause as: - The number of allocated dirents is doubled. - The new_node size is the size of the new number of .dirents minus 8 .dirent sizes for the eight .dirents which are part of the grub_fshelp_node definition, - plus the defined size of the grub_fshelp_node. The new_node gets allocated with that size, which provides enough space for the new dirent and many of its potential successors. So i retract my statement. Data file size seems quite unlimited. At some point grub_mul() or grub_realloc() will throw an error if the numb= er of .dirents is too high for grub_size_t or the machine's memory. Have a nice day :) Thomas