Re: [PATCH 3/4] fs/iso9660: Avoid reading past the entry boundary

Thu, 15 Dec 2022 10:08:43 -0800 

Hi,

On Wed, 14 Dec 2022 18:55:04 +0000 Lidong Chen <lidong.c...@oracle.com> wrote:
> Added a check for the SP entry data boundary before reading it.
>
> Signed-off-by: Lidong Chen <lidong.c...@oracle.com>
> ---
>  grub-core/fs/iso9660.c | 16 ++++++++++++++--
>  1 file changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
> index 9170fa820..67aa8451c 100644
> --- a/grub-core/fs/iso9660.c
> +++ b/grub-core/fs/iso9660.c
> @@ -408,6 +408,9 @@ set_rockridge (struct grub_iso9660_data *data)
>    if (!sua_size)
>      return GRUB_ERR_NONE;
>
> +  if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ)

As mentioned in my review of patch [2/4], GRUB_ISO9660_SUSP_HEADER_SZ should
be defined as 4, rather than as 5. Else entry RE could trigger this error:

> +    return grub_error (GRUB_ERR_BAD_FS, "invalid rock ridge entry size");
> +
>    sua = grub_malloc (sua_size);
>    if (! sua)
>      return grub_errno;
> @@ -434,8 +437,17 @@ set_rockridge (struct grub_iso9660_data *data)
>        rootnode.have_symlink = 0;
>        rootnode.dirents[0] = data->voldesc.rootdir;
>
> -      /* The 2nd data byte stored how many bytes are skipped every time
> -      to get to the SUA (System Usage Area).  */
> +      /*
> +       * The 2nd data byte stored how many bytes are skipped every time
> +       * to get to the SUA (System Usage Area).
> +       */
> +      if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ + 2 ||
> +       entry->len < GRUB_ISO9660_SUSP_HEADER_SZ + 2)

This interprets an SP entry, which is specified to have 7 bytes.
So if GRUB_ISO9660_SUSP_HEADER_SZ gets corrected to 4, then the size demand
will have to be (GRUB_ISO9660_SUSP_HEADER_SZ + 3).

Like with the NM interpretation i would rather prefer a plain "7", maybe with
a comment which says that this is the fixed size of SP (version 1).


> +     {
> +       grub_free (sua);
> +       return grub_error (GRUB_ERR_BAD_FS, "corrupted rock ridge entry");
> +     }
> +
>        data->susp_skip = entry->data[2];
>        entry = (struct grub_iso9660_susp_entry *) ((char *) entry + 
> entry->len);
>
> --
> 2.35.1
>

Reviewed-by: Thomas Schmitt <scdbac...@gmx.net>

But the expression (GRUB_ISO9660_SUSP_HEADER_SZ + 2) will need correction if
my wish for
  #define GRUB_ISO9660_SUSP_HEADER_SZ 4
gets fulfilled. As said, i'd prefer a plain "7".


Have a nice day :)

Thomas


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to