Re: [PATCH 3/4] fs/iso9660: Avoid reading past the entry boundary

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 3/4] fs/iso9660: Avoid reading past the entry boundary

From:	Lidong Chen
Subject:	Re: [PATCH 3/4] fs/iso9660: Avoid reading past the entry boundary
Date:	Mon, 19 Dec 2022 08:42:48 +0000


> On Dec 15, 2022, at 10:08 AM, Thomas Schmitt <scdbackup@gmx.net> wrote:
> 
> Hi,
> 
> On Wed, 14 Dec 2022 18:55:04 +0000 Lidong Chen <lidong.chen@oracle.com> wrote:
>> Added a check for the SP entry data boundary before reading it.
>> 
>> Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
>> ---
>> grub-core/fs/iso9660.c | 16 ++++++++++++++--
>> 1 file changed, 14 insertions(+), 2 deletions(-)
>> 
>> diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
>> index 9170fa820..67aa8451c 100644
>> --- a/grub-core/fs/iso9660.c
>> +++ b/grub-core/fs/iso9660.c
>> @@ -408,6 +408,9 @@ set_rockridge (struct grub_iso9660_data *data)
>>   if (!sua_size)
>>     return GRUB_ERR_NONE;
>> 
>> +  if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ)
> 
> As mentioned in my review of patch [2/4], GRUB_ISO9660_SUSP_HEADER_SZ should
> be defined as 4, rather than as 5. Else entry RE could trigger this error:
> 
>> +    return grub_error (GRUB_ERR_BAD_FS, "invalid rock ridge entry size");
>> +
>>   sua = grub_malloc (sua_size);
>>   if (! sua)
>>     return grub_errno;
>> @@ -434,8 +437,17 @@ set_rockridge (struct grub_iso9660_data *data)
>>       rootnode.have_symlink = 0;
>>       rootnode.dirents[0] = data->voldesc.rootdir;
>> 
>> -      /* The 2nd data byte stored how many bytes are skipped every time
>> -     to get to the SUA (System Usage Area).  */
>> +      /*
>> +       * The 2nd data byte stored how many bytes are skipped every time
>> +       * to get to the SUA (System Usage Area).
>> +       */
>> +      if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ + 2 ||
>> +      entry->len < GRUB_ISO9660_SUSP_HEADER_SZ + 2)
> 
> This interprets an SP entry, which is specified to have 7 bytes.
> So if GRUB_ISO9660_SUSP_HEADER_SZ gets corrected to 4, then the size demand
> will have to be (GRUB_ISO9660_SUSP_HEADER_SZ + 3).
> 
> Like with the NM interpretation i would rather prefer a plain "7", maybe with
> a comment which says that this is the fixed size of SP (version 1).
> 
> 
>> +    {
>> +      grub_free (sua);
>> +      return grub_error (GRUB_ERR_BAD_FS, "corrupted rock ridge entry");
>> +    }
>> +
>>       data->susp_skip = entry->data[2];
>>       entry = (struct grub_iso9660_susp_entry *) ((char *) entry + 
>> entry->len);
>> 
>> --
>> 2.35.1
>> 
> 
> Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>
> 
> But the expression (GRUB_ISO9660_SUSP_HEADER_SZ + 2) will need correction if
> my wish for
>  #define GRUB_ISO9660_SUSP_HEADER_SZ 4
> gets fulfilled. As said, i'd prefer a plain "7".
> 

Ok, I will change it to a plain ‘7’ and add a comment for it.

Thanks,
Lidong

> 
> Have a nice day :)
> 
> Thomas
>

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 0/4] fs/iso9660: Fix out-of-bounds read, Lidong Chen, 2022/12/14
- [PATCH 2/4] fs/iso9660: Prevent read past the end of system use area, Lidong Chen, 2022/12/14
  - Re: [PATCH 2/4] fs/iso9660: Prevent read past the end of system use area, Thomas Schmitt, 2022/12/15
    - Re: [PATCH 2/4] fs/iso9660: Prevent read past the end of system use area, Lidong Chen, 2022/12/19
  - Re: [PATCH 2/4] fs/iso9660: Prevent read past the end of system use area, Thomas Schmitt, 2022/12/16
  - Proposal: fs/iso9660: Prevent skipping CE or ST at start of continuation area, Thomas Schmitt, 2022/12/16
    - Proposal v2: fs/iso9660: Prevent skipping CE or ST at start of continuation area, Thomas Schmitt, 2022/12/16
    - Re: Proposal v2: fs/iso9660: Prevent skipping CE or ST at start of continuation area, Lidong Chen, 2022/12/20
- [PATCH 3/4] fs/iso9660: Avoid reading past the entry boundary, Lidong Chen, 2022/12/14
  - Re: [PATCH 3/4] fs/iso9660: Avoid reading past the entry boundary, Thomas Schmitt, 2022/12/15
    - Re: [PATCH 3/4] fs/iso9660: Avoid reading past the entry boundary, Lidong Chen <=
- [PATCH 1/4] fs/iso9660: Add check to prevent infinite loop, Lidong Chen, 2022/12/14
  - Re: [PATCH 1/4] fs/iso9660: Add check to prevent infinite loop, Thomas Schmitt, 2022/12/15
    - Re: [PATCH 1/4] fs/iso9660: Add check to prevent infinite loop, Lidong Chen, 2022/12/19
    - Re: [PATCH 1/4] fs/iso9660: Add check to prevent infinite loop, Thomas Schmitt, 2022/12/19
- [PATCH 4/4] fs/iso9660: Incorrect check for entry boudary, Lidong Chen, 2022/12/14
  - Re: [PATCH 4/4] fs/iso9660: Incorrect check for entry boudary, Thomas Schmitt, 2022/12/15
    - Re: [PATCH 4/4] fs/iso9660: Incorrect check for entry boudary, Lidong Chen, 2022/12/19
    - Re: [PATCH 4/4] fs/iso9660: Incorrect check for entry boudary, Thomas Schmitt, 2022/12/20
- Re: [PATCH 0/4] fs/iso9660: Fix out-of-bounds read, Thomas Schmitt, 2022/12/14
  - Re: [PATCH 0/4] fs/iso9660: Fix out-of-bounds read, Lidong Chen, 2022/12/19

Prev by Date: Re: [PATCH 2/4] fs/iso9660: Prevent read past the end of system use area
Next by Date: Re: [PATCH 1/4] fs/iso9660: Add check to prevent infinite loop
Previous by thread: Re: [PATCH 3/4] fs/iso9660: Avoid reading past the entry boundary
Next by thread: [PATCH 1/4] fs/iso9660: Add check to prevent infinite loop
Index(es):
- Date
- Thread