Re: [PATCH v3 1/5] fs/iso9660: Add check to prevent infinite loop

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 1/5] fs/iso9660: Add check to prevent infinite loop

From:	Daniel Kiper
Subject:	Re: [PATCH v3 1/5] fs/iso9660: Add check to prevent infinite loop
Date:	Thu, 2 Feb 2023 20:35:53 +0100

On Fri, Jan 20, 2023 at 07:39:38PM +0000, Lidong Chen wrote:
> There is no check for the end of block when reading
> directory extents. It resulted in read_node() always
> read from the same offset in the while loop, thus
> caused infinite loop. The fix added a check for the
> end of the block and ensure the read is within directory
> boundary.
>
> Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
> Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>
> ---
>  grub-core/fs/iso9660.c | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)
>
> diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
> index 91817ec1f..4f4cd6165 100644
> --- a/grub-core/fs/iso9660.c
> +++ b/grub-core/fs/iso9660.c
> @@ -795,6 +795,15 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
>       while (dirent.flags & FLAG_MORE_EXTENTS)
>         {
>           offset += dirent.len;
> +
> +         /* offset should within the dir's len. */
> +         if (offset > len)
> +           {
> +             if (ctx.filename_alloc)
> +               grub_free (ctx.filename);

The Coverity discovered this hunk was leaking node memory. I have added
grub_free(node) call here and it stopped complaining. Now patches are in...

> +             return 0;
> +           }
> +
>           if (read_node (dir, offset, sizeof (dirent), (char *) &dirent))
>             {
>               if (ctx.filename_alloc)
> @@ -802,6 +811,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
>               grub_free (node);
>               return 0;
>             }
> +
> +         /*
> +          * It is either the end of block or zero-padded sector,
> +          * skip to the next block.
> +          */
> +         if (!dirent.len)
> +           {
> +             offset = (offset / GRUB_ISO9660_BLKSZ + 1) * GRUB_ISO9660_BLKSZ;
> +             dirent.flags |= FLAG_MORE_EXTENTS;
> +             continue;
> +           }
> +
>           if (node->have_dirents >= node->alloc_dirents)
>             {
>               struct grub_fshelp_node *new_node;

Daniel

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH v3 1/5] fs/iso9660: Add check to prevent infinite loop, Daniel Kiper <=
- Re: [PATCH v3 1/5] fs/iso9660: Add check to prevent infinite loop, Lidong Chen, 2023/02/02

Prev by Date: Re: [PATCH v3 5/6] Add memtool module with memory allocation stress-test
Next by Date: Re: [v7 PATCH 2/3] efi: Remove arch specific image headers for RISC-V & ARM64
Previous by thread: Re: [PATCH v3 5/6] Add memtool module with memory allocation stress-test
Next by thread: Re: [PATCH v3 1/5] fs/iso9660: Add check to prevent infinite loop
Index(es):
- Date
- Thread