[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 4/4] fs/iso9660: Incorrect check for entry boudary
|
From: |
Lidong Chen |
|
Subject: |
[PATCH 4/4] fs/iso9660: Incorrect check for entry boudary |
|
Date: |
Wed, 14 Dec 2022 18:55:05 +0000 |
An entry consists of the entry info and the component area.
The entry info should take up 5 bytes instead of sizeof (*entry).
The area after the first 5 bytes is the component area. The code
uses the sizeof (*entry) to check the boundary which is incorrect.
Also, an entry may not have component record. Added a check for
for the component length before reading the component record.
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
---
grub-core/fs/iso9660.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
index 67aa8451c..af432ee82 100644
--- a/grub-core/fs/iso9660.c
+++ b/grub-core/fs/iso9660.c
@@ -662,10 +662,22 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
else if (grub_strncmp ("SL", (char *) entry->sig, 2) == 0)
{
unsigned int pos = 1;
+ unsigned int csize;
- /* The symlink is not stored as a POSIX symlink, translate it. */
- while (pos + sizeof (*entry) < entry->len)
+ /* The symlink is not stored as a POSIX symlink, translate it. */
+ while ((pos + GRUB_ISO9660_SUSP_HEADER_SZ) < entry->len)
{
+ /*
+ * entry->len is GRUB_ISO9660_SUSP_HEADER_SZ plus the
+ * length of the 'Component Record'. The length of the
+ * record is 2 (pos and pos + 1) plus the actual record
+ * starting at pos + 2. pos stores the 'Component Flags',
+ * pos + 1 specifies the length of actual record.
+ */
+ csize = entry->data[pos + 1] + 2;
+ if (csize + GRUB_ISO9660_SUSP_HEADER_SZ > entry->len)
+ break;
+
/* The current position is the `Component Flag'. */
switch (entry->data[pos] & 30)
{
@@ -681,8 +693,11 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
return grub_errno;
}
- add_part (ctx, (char *) &entry->data[pos + 2],
- entry->data[pos + 1]);
+ if (entry->data[pos + 1] > 0)
+ {
+ add_part (ctx, (char *) &entry->data[pos + 2],
+ entry->data[pos + 1]);
+ }
ctx->was_continue = (entry->data[pos] & 1);
break;
}
--
2.35.1
- Proposal: fs/iso9660: Prevent skipping CE or ST at start of continuation area, (continued)
[PATCH 3/4] fs/iso9660: Avoid reading past the entry boundary, Lidong Chen, 2022/12/14
[PATCH 1/4] fs/iso9660: Add check to prevent infinite loop, Lidong Chen, 2022/12/14
[PATCH 4/4] fs/iso9660: Incorrect check for entry boudary,
Lidong Chen <=
Re: [PATCH 0/4] fs/iso9660: Fix out-of-bounds read, Thomas Schmitt, 2022/12/14