grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposal v2: fs/iso9660: Prevent skipping CE or ST at start of conti

From: Lidong Chen
Subject: Re: Proposal v2: fs/iso9660: Prevent skipping CE or ST at start of continuation area
Date: Thu, 12 Jan 2023 05:28:28 +0000 
Hi Thomas,

> On Jan 11, 2023, at 3:54 AM, Thomas Schmitt <scdbackup@gmx.net> wrote:
> 
> Hi,
> 
> i created another bad ISO which i expect to lead to an endless loop in
> existing GRUB (i.e. before applying the proposed change).
> 
> Both ISOs can be downloaded as gzip-compressed files now:
> 
>  http://scdbackup.webframe.org/ce_loop.iso.gz
>  SHA256: d86b73b0cc260968f50c30a5207b798f5fc2396233aee5eb3cedf9cef069f3c2
> 
>  http://scdbackup.webframe.org/ce_loop2.iso.gz
>  SHA256: a6bde0c1562de8959d783bca0a79ad750da2bc129bdea2362b4a7c3e83426b2c
> 
> They are smaller than 1 KB and expand to 128 KiB, each.
> 
> (Please do not load these ISOs into existing xorriso programs by commands
> like -indev. ce_loop.iso leads to SIGSEGV. ce_loop2.iso leads to an
> endless loop. The libisofs code fix is only in git for now.)
> 
I have downloaded the ISOs. Thanks!

> ------------------------------------------------------------------------
> Test proposals for GRUB:
> 
> If reading ce_loop.iso by GRUB leads to an error message, then my proposed
> change is in effect and protected against endless loops.
> Original GRUB is supposed to just ignore that situation, because it skips
> over the CE entry by mistake.
> 
> If reading ce_loop2.iso by GRUB leads to an error message, then the
> proposed safety precaution against endless loops is in effect.
> I expect unpatched GRUB to loop endlessly with this ISO.
> 
To test it, I am thinking to add the ISO entry in 40_custom script, then select
the ISO from Grub menu. Is it the right way to test it? Or, is there a better 
way
to it? 

> ------------------------------------------------------------------------
> About the production of ce_loop2.iso:
> 
> The CE entry of its file /x points to a dummy SUSP entry XY of length 8
> which sits directly before the CE entry. So this dummy entry is the
> first to be read by GRUB from the pseudo-contination area, gets processed
> by the hook() function (with no side effects), and is then followed by
> the CE entry.
> Because of the existence of the XY entry, i expect the CE entry not to
> be skipped by existing GRUB.
> 
>  # Production begins by the bad ISO of January 9 where the CE entry
>  # points to itself
>  cp ce_loop.iso ce_loop2.iso
> 
>  # Cut out a copy of the bad CE entry
>  dd if=ce_loop2.iso bs=1 skip=102734 count=28 of=ce_entry
> 
>  # After the CE entry is plenty of unused space in the same block.
>  # The length of the directory entry of /x plus 8 will not exceed 255.
>  # So put the copy back with an offset of 8 bytes.
>  dd if=ce_entry bs=1 seek=102742 conv=notrunc of=ce_loop2.iso
> 
>  # Rename the old CE entry head to XY
>  echo "XY" | dd bs=1 seek=102734 count=2 conv=notrunc of=ce_loop2.iso
> 
>  # Give it the length of 8
>  echo $'\x08' | dd bs=1 seek=102736 count=1 conv=notrunc of=ce_loop2.iso
> 
>  # Set in the new CE entry the continuation area length to 8 + 28 = 36
>  echo $'\x24' | dd bs=1 seek=102762 count=1 conv=notrunc of=ce_loop2.iso
>  echo $'\x24' | dd bs=1 seek=102769 count=1 conv=notrunc of=ce_loop2.iso
> 
>  # Change the length of the directory record from 134 to 142
>  echo $'\x8e' |  dd bs=1 seek=102628 count=1 conv=notrunc of=ce_loop2.iso
> 
> The resulting bytes of the whole directory record of /x are then:
> 
> 000190e0 :    ..  ..  ..  ..  8e  00  37  00  00  00  00  00  00  37  02  00
>               .   .   .   .           7                           7
>  102624 :   ... ... ... ... 142   0  55   0   0   0   0   0   0  55   2   0
> 
> 000190f0 :    00  00  00  00  00  02  7b  01  09  08  08  1c  00  00  00  00
>                                       {
>  102640 :     0   0   0   0   0   2 123   1   9   8   8  28   0   0   0   0
> 
> 00019100 :    01  00  00  01  04  58  2e  3b  31  00  50  58  24  01  a4  81
>                                   X   .   ;   1       P   X   $
>  102656 :     1   0   0   1   4  88  46  59  49   0  80  88  36   1 164 129
> 
> 00019110 :    00  00  00  00  81  a4  01  00  00  00  00  00  00  01  e8  03
> 
>  102672 :     0   0   0   0 129 164   1   0   0   0   0   0   0   1 232   3
> 
> 00019120 :    00  00  00  00  03  e8  e8  03  00  00  00  00  03  e8  54  46
>                                                                       T   F
>  102688 :     0   0   0   0   3 232 232   3   0   0   0   0   3 232  84  70
> 
> 00019130 :    1a  01  0e  7b  01  09  08  08  1c  00  7b  01  09  08  08  2f
>                           {                           {                   /
>  102704 :    26   1  14 123   1   9   8   8  28   0 123   1   9   8   8  47
> 
> 00019140 :    00  7b  01  09  08  08  1c  00  4e  4d  06  01  00  78  58  59
>                   {                           N   M               x   X   Y
>  102720 :     0 123   1   9   8   8  28   0  78  77   6   1   0 120  88  89
> 
> 00019150 :    08  01  32  00  00  00  43  45  1c  01  32  00  00  00  00  00
>                       2               C   E           2
>  102736 :     8   1  50   0   0   0  67  69  28   1  50   0   0   0   0   0
> 
> 00019160 :    00  32  4e  01  00  00  00  00  01  4e  24  00  00  00  00  00
>                   2   N                           N   $
>  102752 :     0  50  78   1   0   0   0   0   1  78  36   0   0   0   0   0
> 
> 00019170 :    00  24  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..
>                   $   .   .   .   .   .   .   .   .   .   .   .   .   .   .
>  102768 :     0  36 ... ... ... ... ... ... ... ... ... ... ... ... … …
> 
Thanks a lot for the detail instruction! It is very helpful for the test as 
well as for my learning.

Regards,
Lidong

> ------------------------------------------------------------------------
> 
> Have a nice day :)
> 
> Thomas
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]