[PATCH] fix attempt to seek outside of the file error when parsing xen ELF notes

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] fix attempt to seek outside of the file error when parsing xen ELF notes
@ 2016-03-03  7:33 Michael Chang
  2016-03-03 18:17 ` Andrei Borzenkov
  0 siblings, 1 reply; 4+ messages in thread
From: Michael Chang @ 2016-03-03  7:33 UTC (permalink / raw)
  To: The development of GNU GRUB

The kernel bzImage payload length appears to be incorrectly minus by 4 when
trying to grub_file_offset_open for the uncompressed vmlinux image. If gzip
used as compressor it will lead to the file->size read from offset of crc32
instead of the uncompressed image size.

[1]
http://www.onicos.com/staff/iz/formats/gzip.html
---
 grub-core/loader/i386/xen_file.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/grub-core/loader/i386/xen_file.c b/grub-core/loader/i386/xen_file.c
index 5836218..37f9ad8 100644
--- a/grub-core/loader/i386/xen_file.c
+++ b/grub-core/loader/i386/xen_file.c
@@ -55,11 +55,11 @@ grub_xen_file (grub_file_t file)
   grub_dprintf ("xen", "found bzimage payload 0x%llx-0x%llx\n",
 		(unsigned long long) (lh.setup_sects + 1) * 512
 		+ lh.payload_offset,
-		(unsigned long long) lh.payload_length - 4);
+		(unsigned long long) lh.payload_length);
 
   off_file = grub_file_offset_open (file, (lh.setup_sects + 1) * 512
 				    + lh.payload_offset,
-				    lh.payload_length - 4);
+				    lh.payload_length);
   if (!off_file)
     goto fail;
 
-- 
1.8.5.6



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] fix attempt to seek outside of the file error when parsing xen ELF notes
  2016-03-03  7:33 [PATCH] fix attempt to seek outside of the file error when parsing xen ELF notes Michael Chang
@ 2016-03-03 18:17 ` Andrei Borzenkov
  2016-03-04  6:50   ` Michael Chang
  2016-03-11  7:13   ` Vladimir 'phcoder' Serbinenko
  0 siblings, 2 replies; 4+ messages in thread
From: Andrei Borzenkov @ 2016-03-03 18:17 UTC (permalink / raw)
  To: grub-devel

03.03.2016 10:33, Michael Chang пишет:
> The kernel bzImage payload length appears to be incorrectly minus by 4 when
> trying to grub_file_offset_open for the uncompressed vmlinux image. If gzip
> used as compressor it will lead to the file->size read from offset of crc32
> instead of the uncompressed image size.
> 
> [1]
> http://www.onicos.com/staff/iz/formats/gzip.html
> ---
>  grub-core/loader/i386/xen_file.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/grub-core/loader/i386/xen_file.c b/grub-core/loader/i386/xen_file.c
> index 5836218..37f9ad8 100644
> --- a/grub-core/loader/i386/xen_file.c
> +++ b/grub-core/loader/i386/xen_file.c
> @@ -55,11 +55,11 @@ grub_xen_file (grub_file_t file)
>    grub_dprintf ("xen", "found bzimage payload 0x%llx-0x%llx\n",
>  		(unsigned long long) (lh.setup_sects + 1) * 512
>  		+ lh.payload_offset,
> -		(unsigned long long) lh.payload_length - 4);
> +		(unsigned long long) lh.payload_length);
>  
>    off_file = grub_file_offset_open (file, (lh.setup_sects + 1) * 512
>  				    + lh.payload_offset,
> -				    lh.payload_length - 4);
> +				    lh.payload_length);
>    if (!off_file)
>      goto fail;
>  
> 
Looks strange indeed. I wonder what was original intention, code looked
this way from the very beginning. May be it is required with some other
format?


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] fix attempt to seek outside of the file error when parsing xen ELF notes
  2016-03-03 18:17 ` Andrei Borzenkov
@ 2016-03-04  6:50   ` Michael Chang
  2016-03-11  7:13   ` Vladimir 'phcoder' Serbinenko
  1 sibling, 0 replies; 4+ messages in thread
From: Michael Chang @ 2016-03-04  6:50 UTC (permalink / raw)
  To: The development of GNU GRUB

On Thu, Mar 03, 2016 at 09:17:27PM +0300, Andrei Borzenkov wrote:
> 03.03.2016 10:33, Michael Chang пишет:
> > The kernel bzImage payload length appears to be incorrectly minus by 4 when
> > trying to grub_file_offset_open for the uncompressed vmlinux image. If gzip
> > used as compressor it will lead to the file->size read from offset of crc32
> > instead of the uncompressed image size.
> > 
> > [1]
> > http://www.onicos.com/staff/iz/formats/gzip.html
> > ---
> >  grub-core/loader/i386/xen_file.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/grub-core/loader/i386/xen_file.c b/grub-core/loader/i386/xen_file.c
> > index 5836218..37f9ad8 100644
> > --- a/grub-core/loader/i386/xen_file.c
> > +++ b/grub-core/loader/i386/xen_file.c
> > @@ -55,11 +55,11 @@ grub_xen_file (grub_file_t file)
> >    grub_dprintf ("xen", "found bzimage payload 0x%llx-0x%llx\n",
> >  		(unsigned long long) (lh.setup_sects + 1) * 512
> >  		+ lh.payload_offset,
> > -		(unsigned long long) lh.payload_length - 4);
> > +		(unsigned long long) lh.payload_length);
> >  
> >    off_file = grub_file_offset_open (file, (lh.setup_sects + 1) * 512
> >  				    + lh.payload_offset,
> > -				    lh.payload_length - 4);
> > +				    lh.payload_length);
> >    if (!off_file)
> >      goto fail;
> >  
> > 
> Looks strange indeed. I wonder what was original intention, code looked
> this way from the very beginning. May be it is required with some other
> format?

I also wonder that possibility. But looking into other formats it looks
to me more likely a bug than intended.

Unless there's unexpected padding in the end of payload, it looks to me
that xz would also be failed in footer sanity check as the last stream
block's footer magic is discarded by that size of payload_length - 4. 

Thanks,
Michael


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] fix attempt to seek outside of the file error when parsing xen ELF notes
  2016-03-03 18:17 ` Andrei Borzenkov
  2016-03-04  6:50   ` Michael Chang
@ 2016-03-11  7:13   ` Vladimir 'phcoder' Serbinenko
  1 sibling, 0 replies; 4+ messages in thread
From: Vladimir 'phcoder' Serbinenko @ 2016-03-11  7:13 UTC (permalink / raw)
  To: The development of GNU GRUB

[-- Attachment #1: Type: text/plain, Size: 2006 bytes --]

Le jeu. 3 mars 2016 19:17, Andrei Borzenkov <arvidjaar@gmail.com> a écrit :

> 03.03.2016 10:33, Michael Chang пишет:
> > The kernel bzImage payload length appears to be incorrectly minus by 4
> when
> > trying to grub_file_offset_open for the uncompressed vmlinux image. If
> gzip
> > used as compressor it will lead to the file->size read from offset of
> crc32
> > instead of the uncompressed image size.
> >
> > [1]
> > http://www.onicos.com/staff/iz/formats/gzip.html
> > ---
> >  grub-core/loader/i386/xen_file.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/grub-core/loader/i386/xen_file.c
> b/grub-core/loader/i386/xen_file.c
> > index 5836218..37f9ad8 100644
> > --- a/grub-core/loader/i386/xen_file.c
> > +++ b/grub-core/loader/i386/xen_file.c
> > @@ -55,11 +55,11 @@ grub_xen_file (grub_file_t file)
> >    grub_dprintf ("xen", "found bzimage payload 0x%llx-0x%llx\n",
> >               (unsigned long long) (lh.setup_sects + 1) * 512
> >               + lh.payload_offset,
> > -             (unsigned long long) lh.payload_length - 4);
> > +             (unsigned long long) lh.payload_length);
> >
> >    off_file = grub_file_offset_open (file, (lh.setup_sects + 1) * 512
> >                                   + lh.payload_offset,
> > -                                 lh.payload_length - 4);
> > +                                 lh.payload_length);
> >    if (!off_file)
> >      goto fail;
> >
> >
> Looks strange indeed. I wonder what was original intention, code looked
> this way from the very beginning. May be it is required with some other
> format?
>
I don't remember and I haven't kept the image I originally used for this.
So I can't check if this doesn't break anything. But it looks like it fixes
stuff, so I'm going to commit it

>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>

[-- Attachment #2: Type: text/html, Size: 2918 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-03-11  7:14 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-03  7:33 [PATCH] fix attempt to seek outside of the file error when parsing xen ELF notes Michael Chang
2016-03-03 18:17 ` Andrei Borzenkov
2016-03-04  6:50   ` Michael Chang
2016-03-11  7:13   ` Vladimir 'phcoder' Serbinenko

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.