Re: [PATCH 3/4] fs/iso9660: Avoid reading past the entry boundary

Mon, 19 Dec 2022 00:43:44 -0800 


> On Dec 15, 2022, at 10:08 AM, Thomas Schmitt <scdbac...@gmx.net> wrote:
> 
> Hi,
> 
> On Wed, 14 Dec 2022 18:55:04 +0000 Lidong Chen <lidong.c...@oracle.com> wrote:
>> Added a check for the SP entry data boundary before reading it.
>> 
>> Signed-off-by: Lidong Chen <lidong.c...@oracle.com>
>> ---
>> grub-core/fs/iso9660.c | 16 ++++++++++++++--
>> 1 file changed, 14 insertions(+), 2 deletions(-)
>> 
>> diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
>> index 9170fa820..67aa8451c 100644
>> --- a/grub-core/fs/iso9660.c
>> +++ b/grub-core/fs/iso9660.c
>> @@ -408,6 +408,9 @@ set_rockridge (struct grub_iso9660_data *data)
>>   if (!sua_size)
>>     return GRUB_ERR_NONE;
>> 
>> +  if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ)
> 
> As mentioned in my review of patch [2/4], GRUB_ISO9660_SUSP_HEADER_SZ should
> be defined as 4, rather than as 5. Else entry RE could trigger this error:
> 
>> +    return grub_error (GRUB_ERR_BAD_FS, "invalid rock ridge entry size");
>> +
>>   sua = grub_malloc (sua_size);
>>   if (! sua)
>>     return grub_errno;
>> @@ -434,8 +437,17 @@ set_rockridge (struct grub_iso9660_data *data)
>>       rootnode.have_symlink = 0;
>>       rootnode.dirents[0] = data->voldesc.rootdir;
>> 
>> -      /* The 2nd data byte stored how many bytes are skipped every time
>> -     to get to the SUA (System Usage Area).  */
>> +      /*
>> +       * The 2nd data byte stored how many bytes are skipped every time
>> +       * to get to the SUA (System Usage Area).
>> +       */
>> +      if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ + 2 ||
>> +      entry->len < GRUB_ISO9660_SUSP_HEADER_SZ + 2)
> 
> This interprets an SP entry, which is specified to have 7 bytes.
> So if GRUB_ISO9660_SUSP_HEADER_SZ gets corrected to 4, then the size demand
> will have to be (GRUB_ISO9660_SUSP_HEADER_SZ + 3).
> 
> Like with the NM interpretation i would rather prefer a plain "7", maybe with
> a comment which says that this is the fixed size of SP (version 1).
> 
> 
>> +    {
>> +      grub_free (sua);
>> +      return grub_error (GRUB_ERR_BAD_FS, "corrupted rock ridge entry");
>> +    }
>> +
>>       data->susp_skip = entry->data[2];
>>       entry = (struct grub_iso9660_susp_entry *) ((char *) entry + 
>> entry->len);
>> 
>> --
>> 2.35.1
>> 
> 
> Reviewed-by: Thomas Schmitt <scdbac...@gmx.net>
> 
> But the expression (GRUB_ISO9660_SUSP_HEADER_SZ + 2) will need correction if
> my wish for
>  #define GRUB_ISO9660_SUSP_HEADER_SZ 4
> gets fulfilled. As said, i'd prefer a plain "7".
> 

Ok, I will change it to a plain ‘7’ and add a comment for it.

Thanks,
Lidong

> 
> Have a nice day :)
> 
> Thomas
> 

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to