From: "Thomas Schmitt" <scdbackup@gmx.net>
To: grub-devel@gnu.org
Cc: fengtao40@huawei.com
Subject: Re: Possible memory fault in fs/iso9660 (correction)
Date: Thu, 24 Nov 2022 16:16:37 +0100 [thread overview]
Message-ID: <29109400204265589390@scdbackup.webframe.org> (raw)
In-Reply-To: <20221124131740.mioaqoewv6gnag5i@tomti.i.net-space.pl>
Hi,
(Again i Cc t.feng in the hope that the review is not finished yet. :))
Daniel Kiper wrote:
> I am not an ISO format expert but your thinking LGTM.
So you agree that "3" is really the right number if any remaining bytes
fewer than 4 shall be ignored ?
(I don't trust myself, although i made an example with finger counting.)
> could you send a patch fixing this issue?
This should be possible. But how to test ?
Normal ISOs made with GNU/Linux will cause (entry == sua + sua_size) at
the end of the SUSP data. So provoking the problem and checking whether
it is solved will need a hacked ISO.
I will think about creating such an ISO by help of xorriso and dd.
While exploring the SUSP/RRIP entry types which are interpreted by GRUB,
i got to more credulence towards the ISO producer.
E.g. in grub-core/fs/iso9660.c line 404 ff.
/* The 2nd data byte stored how many bytes are skipped every time
to get to the SUA (System Usage Area). */
data->susp_skip = entry->data[2];
This is a memory fault if (sua_size < 7). I see no check between
sua = grub_malloc (sua_size);
and the read access to entry->data[2].
Another example:
grub_iso9660_susp_iterate() calls its parameter hook() without checking
that the alleged entry size is within the range of sua_size. The hook()
function does not get sua_size to check on its own.
In general:
How mistrusting should GRUB be towards the bytes in the filesystem ?
Have a nice day :)
Thomas
next prev parent reply other threads:[~2022-11-24 15:17 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-19 12:38 Possible memory fault in fs/iso9660 Thomas Schmitt
2022-11-19 12:57 ` Possible memory fault in fs/iso9660 (correction) Thomas Schmitt
2022-11-24 13:17 ` Daniel Kiper
2022-11-24 15:16 ` Thomas Schmitt [this message]
2022-11-29 9:32 ` Fengtao (fengtao, Euler)
2022-11-29 14:26 ` Daniel Kiper
2022-11-29 19:12 ` Thomas Schmitt
2022-11-29 18:47 ` Thomas Schmitt
2022-12-12 14:32 ` Daniel Kiper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=29109400204265589390@scdbackup.webframe.org \
--to=scdbackup@gmx.net \
--cc=fengtao40@huawei.com \
--cc=grub-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.