Re: [PATCH v2 3/5] fs/iso9660: Avoid reading past the entry boundary

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 3/5] fs/iso9660: Avoid reading past the entry boundary

From:	Thomas Schmitt
Subject:	Re: [PATCH v2 3/5] fs/iso9660: Avoid reading past the entry boundary
Date:	Wed, 18 Jan 2023 17:14:56 +0100

Hi,

On Wed, 18 Jan 2023 08:23:56 +0000 Lidong Chen <lidong.chen@oracle.com> wrote:
> Added a check for the SP entry data boundary before reading it.
>
> Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
> Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>
> ---
>  grub-core/fs/iso9660.c | 16 ++++++++++++++--
>  1 file changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
> index 65c8862b6..c6d65fc22 100644
> --- a/grub-core/fs/iso9660.c
> +++ b/grub-core/fs/iso9660.c
> @@ -409,6 +409,9 @@ set_rockridge (struct grub_iso9660_data *data)
>    if (!sua_size)
>      return GRUB_ERR_NONE;
>
> +  if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ)
> +    return grub_error (GRUB_ERR_BAD_FS, "invalid rock ridge entry size");
> +
>    sua = grub_malloc (sua_size);
>    if (! sua)
>      return grub_errno;
> @@ -435,8 +438,17 @@ set_rockridge (struct grub_iso9660_data *data)
>        rootnode.have_symlink = 0;
>        rootnode.dirents[0] = data->voldesc.rootdir;
>
> -      /* The 2nd data byte stored how many bytes are skipped every time
> -      to get to the SUA (System Usage Area).  */
> +      /* The size of SP (version 1) is fixed to 7. */
> +      if (sua_size < 7 || entry->len < 7)
> +     {
> +       grub_free (sua);
> +       return grub_error (GRUB_ERR_BAD_FS, "corrupted rock ridge entry");
> +     }
> +
> +      /*
> +       * The 2nd data byte stored how many bytes are skipped every time
> +       * to get to the SUA (System Usage Area).
> +       */
>        data->susp_skip = entry->data[2];
>        entry = (struct grub_iso9660_susp_entry *) ((char *) entry + 
> entry->len);
>
> --
> 2.35.1

Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>

My minor objections towards v1 are now addressed.


Have a nice day :)

Thomas

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v2 0/5] fs/iso9660: Fix out-of-bounds read, Lidong Chen, 2023/01/18
- [PATCH v2 4/5] fs/iso9660: Incorrect check for entry boundary, Lidong Chen, 2023/01/18
  - Re: [PATCH v2 4/5] fs/iso9660: Incorrect check for entry boundary, Thomas Schmitt, 2023/01/18
- [PATCH v2 3/5] fs/iso9660: Avoid reading past the entry boundary, Lidong Chen, 2023/01/18
  - Re: [PATCH v2 3/5] fs/iso9660: Avoid reading past the entry boundary, Thomas Schmitt <=
- [PATCH v2 1/5] fs/iso9660: Add check to prevent infinite loop, Lidong Chen, 2023/01/18
  - Re: [PATCH v2 1/5] fs/iso9660: Add check to prevent infinite loop, Thomas Schmitt, 2023/01/18
    - Re: [PATCH v2 1/5] fs/iso9660: Add check to prevent infinite loop, Lidong Chen, 2023/01/18
- [PATCH v2 5/5] fs/iso9660: Prevent skipping CE or ST at start of continuation area, Lidong Chen, 2023/01/18
  - Re: [PATCH v2 5/5] fs/iso9660: Prevent skipping CE or ST at start of continuation area, Thomas Schmitt, 2023/01/18
    - Re: [PATCH v2 5/5] fs/iso9660: Prevent skipping CE or ST at start of continuation area, Lidong Chen, 2023/01/18
- [PATCH v2 2/5] fs/iso9660: Prevent read past the end of system use area, Lidong Chen, 2023/01/18
  - Re: [PATCH v2 2/5] fs/iso9660: Prevent read past the end of system use area, Thomas Schmitt, 2023/01/18
- Re: [PATCH v2 0/5] fs/iso9660: Fix out-of-bounds read, Thomas Schmitt, 2023/01/18
  - Re: [PATCH v2 0/5] fs/iso9660: Fix out-of-bounds read, Lidong Chen, 2023/01/18

Prev by Date: Re: [PATCH v2 2/5] fs/iso9660: Prevent read past the end of system use area
Next by Date: Re: [PATCH v2 4/5] fs/iso9660: Incorrect check for entry boundary
Previous by thread: [PATCH v2 3/5] fs/iso9660: Avoid reading past the entry boundary
Next by thread: [PATCH v2 1/5] fs/iso9660: Add check to prevent infinite loop
Index(es):
- Date
- Thread