[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v3 5/5] fs/iso9660: Prevent skipping CE or ST at start of con
|
From: |
Thomas Schmitt |
|
Subject: |
Re: [PATCH v3 5/5] fs/iso9660: Prevent skipping CE or ST at start of continuation area |
|
Date: |
Sat, 21 Jan 2023 13:59:48 +0100 |
Hi,
On Fri, 20 Jan 2023 19:39:42 +0000 Lidong Chen <lidong.chen@oracle.com> wrote:
> If processing of a SUSP CE entry leads to a continuation area which
> begins by entry CE or ST, then these entries were skipped without
> interpretation. In case of CE this would lead to premature end of
> processing the SUSP entries of the file. In case of ST this could
> cause following non-SUSP bytes to be interpreted as SUSP entries.
>
> Signed-off-by: Thomas Schmitt <scdbackup@gmx.net>
> Tested-by: Lidong Chen <lidong.chen@oracle.com>
> ---
> grub-core/fs/iso9660.c | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
>
> diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
> index ca45b3424..3ddb06ed4 100644
> --- a/grub-core/fs/iso9660.c
> +++ b/grub-core/fs/iso9660.c
> @@ -50,6 +50,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
> #define GRUB_ISO9660_VOLDESC_END 255
>
> #define GRUB_ISO9660_SUSP_HEADER_SZ 4
> +#define GRUB_ISO9660_MAX_CE_HOPS 100000
>
> /* The head of a volume descriptor. */
> struct grub_iso9660_voldesc
> @@ -270,6 +271,7 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node,
> grub_off_t off,
> char *sua;
> struct grub_iso9660_susp_entry *entry;
> grub_err_t err;
> + int ce_counter = 0;
>
> if (sua_size <= 0)
> return GRUB_ERR_NONE;
> @@ -304,6 +306,13 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node,
> grub_off_t off,
> struct grub_iso9660_susp_ce *ce;
> grub_disk_addr_t ce_block;
>
> + if (++ce_counter > GRUB_ISO9660_MAX_CE_HOPS)
> + {
> + grub_free (sua);
> + return grub_error (GRUB_ERR_BAD_FS,
> + "suspecting endless CE loop");
> + }
> +
> ce = (struct grub_iso9660_susp_ce *) entry;
> sua_size = grub_le_to_cpu32 (ce->len);
> off = grub_le_to_cpu32 (ce->off);
> @@ -331,6 +340,13 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node,
> grub_off_t off,
> return err;
>
> entry = (struct grub_iso9660_susp_entry *) sua;
> + /*
> + * The hook function will not process CE or ST.
> + * Advancing to the next entry would skip them.
> + */
> + if (grub_strncmp ((char *) entry->sig, "CE", 2) == 0
> + || grub_strncmp ((char *) entry->sig, "ST", 2) == 0)
> + continue;
> }
>
> if (hook (entry, hook_arg))
> --
> 2.35.1
Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>
Have a nice day :)
Thomas
- [PATCH v3 0/5] fs/iso9660: Fix out-of-bounds read, Lidong Chen, 2023/01/20
- [PATCH v3 1/5] fs/iso9660: Add check to prevent infinite loop, Lidong Chen, 2023/01/20
- [PATCH v3 2/5] fs/iso9660: Prevent read past the end of system use area, Lidong Chen, 2023/01/20
- [PATCH v3 3/5] fs/iso9660: Avoid reading past the entry boundary, Lidong Chen, 2023/01/20
- [PATCH v3 4/5] fs/iso9660: Incorrect check for entry boundary, Lidong Chen, 2023/01/20
- [PATCH v3 5/5] fs/iso9660: Prevent skipping CE or ST at start of continuation area, Lidong Chen, 2023/01/20
- Re: [PATCH v3 5/5] fs/iso9660: Prevent skipping CE or ST at start of continuation area,
Thomas Schmitt <=
- Re: [PATCH v3 0/5] fs/iso9660: Fix out-of-bounds read, Daniel Kiper, 2023/01/25