Possible memory fault in fs/iso9660

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Possible memory fault in fs/iso9660

From:	Thomas Schmitt
Subject:	Possible memory fault in fs/iso9660
Date:	Sat, 19 Nov 2022 13:38:17 +0100

Hi,

(Cc-ing t.feng in the hope that this issue can become part of the code
review.)

While reviewing "[PATCH 7/9]" by t.feng, i wonder whether there is a bug
in grub_iso9660_susp_iterate() in regard to the end of the SUSP data:

  for (entry = (struct grub_iso9660_susp_entry *) sua; (char *) entry < (char 
*) sua + sua_size - 1 && entry->len > 0;
       entry = (struct grub_iso9660_susp_entry *)
         ((char *) entry + entry->len))
    {

I think the loop end condition should use 4 rather than 1:

       (char *) entry < (char *) sua + sua_size - 4 && entry->len > 0

The entry struct has at least 4 bytes:

  struct grub_iso9660_susp_entry
  {
    grub_uint8_t sig[2];
    grub_uint8_t len;
    grub_uint8_t version;
    grub_uint8_t data[0];
  } GRUB_PACKED;

Especially the expression
  entry->len > 0
reads beyond the end of the allocated buffer sua if

  entry >= sua + sua_size - 3


It does not look as if there are guard rails installed yet:

The size of the allocated space (parameter sua_size) is determined by the
callers of grub_iso9660_susp_iterate from struct grub_iso9660_dir objects,
which obviously represent ISO 9660 directory entry bytes as read from the
filesystem.

---------------------------------------------------------------------------

So the producer of the ISO filesystem can create in GRUB the impression
of trailing bytes which form no valid SUSP entry. This may even happen in
good faith because a ISO 9660 System Use field may hold data which are not
under control of the SUSP protocol.

There is a "ST" entry specified which explcitely ends the range of SUSP.
But the SUSP specs, both 1.10 and 1.12, mention that a System Use field
or a Continuation area may end without ST entry with up to 3 remaining
bytes which shall be ignored. From SUSP 1.12:

  If the remaining allocated space following the last recorded System Use
  Entry in a System Use field or Continuation Area is less than four bytes
  long, it cannot contain a System Use Entry and shall be ignored.
  Otherwise an "ST" System Use Entry (see section 5.4) shall be the last
  System Use Entry recorded in a System Use field or Continuation Area.

Neither mkisofs/genisominage nor libisofs write any ST entries. At least
for libisofs i can state that there is no trailing non-SUSP data announced
by the size of the directory entry or the Continuation Area.


Have a nice day :)

Thomas

[Prev in Thread]

Current Thread

[Next in Thread]

Possible memory fault in fs/iso9660, Thomas Schmitt <=
- Re: Possible memory fault in fs/iso9660 (correction), Thomas Schmitt, 2022/11/19
  - Re: Possible memory fault in fs/iso9660 (correction), Daniel Kiper, 2022/11/24
    - Re: Possible memory fault in fs/iso9660 (correction), Thomas Schmitt, 2022/11/24
    - Re: Possible memory fault in fs/iso9660 (correction), Fengtao (fengtao, Euler), 2022/11/29
    - Re: Possible memory fault in fs/iso9660 (correction), Daniel Kiper, 2022/11/29
    - Re: Possible memory fault in fs/iso9660 (correction), Thomas Schmitt, 2022/11/29
    - Re: Possible memory fault in fs/iso9660 (correction), Thomas Schmitt, 2022/11/29

Prev by Date: Re: [PATCH 7/9] fs/iso9660: Fix memory leak in grub_iso9660_susp_iterate
Next by Date: Re: Possible memory fault in fs/iso9660 (correction)
Previous by thread: [PATCH 0/9] fix memory leaks in fs module
Next by thread: Re: Possible memory fault in fs/iso9660 (correction)
Index(es):
- Date
- Thread