[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 5/5] fs/iso9660: Prevent skipping CE or ST at start of con
From: |
Thomas Schmitt |
Subject: |
Re: [PATCH v2 5/5] fs/iso9660: Prevent skipping CE or ST at start of continuation area |
Date: |
Wed, 18 Jan 2023 17:21:14 +0100 |
Hi,
On Wed, 18 Jan 2023 08:23:58 +0000 Lidong Chen <lidong.chen@oracle.com> wrote:
> If processing of a SUSP CE entry leads to a continuation area which
> begins by entry CE or ST, then these entries were skipped without
> interpretation. In case of CE this would lead to premature end of
> processing the SUSP entries of the file. In case of ST this could
> cause following non-SUSP bytes to be interpreted as SUSP entries.
>
> Signed-off-by: Thomas Schmitt scdbackup@gmx.net
> ---
> grub-core/fs/iso9660.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
> index ca45b3424..c3ed11f04 100644
> --- a/grub-core/fs/iso9660.c
> +++ b/grub-core/fs/iso9660.c
> @@ -331,6 +331,18 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node,
> grub_off_t off,
> return err;
>
> entry = (struct grub_iso9660_susp_entry *) sua;
> + /*
> + * The hook function will not process CE or ST.
> + * Advancing to the next entry would skip them.
> + */
> + ce = (struct grub_iso9660_susp_ce *) entry;
> + if (ce_block != grub_le_to_cpu32 (ce->blk) << GRUB_ISO9660_LOG2_BLKSZ
> + || off != grub_le_to_cpu32 (ce->off))
> + continue;
> + /*
> + * Ending up here indicates an endless loop by self reference.
> + * So skip this bad CE.
> + */
> }
>
> if (hook (entry, hook_arg))
> --
> 2.35.1
This looks like the part of my retracted v2 proposal which was intended to
break the possible endless loop by self-referring CE entries:
Date: Fri, 16 Dec 2022 13:57:04 +0100
Message-Id: <31992389627932343306@scdbackup.webframe.org>
Subject: Proposal v2: fs/iso9660: Prevent skipping CE or ST at start of
continuation area
But the problem of CE and ST at the start of a continuation area is not
fixed by the above.
What remains after postponing the loop breaker is (hopefully) addressed by
my proposal v1:
Date: Fri, 16 Dec 2022 10:42:13 +0100
Message-Id: <19021389617225107434@scdbackup.webframe.org>
Subject: Proposal: fs/iso9660: Prevent skipping CE or ST at start of
continuation area
--- grub-core/fs/iso9660.c.lidong_chen_patch_2 2022-12-15 11:46:50.654295924 +0
100
+++ grub-core/fs/iso9660.c.lidong_chen_patch_2_ce_fix 2022-12-16 10:05:52.9905
99283 +0100
@@ -336,6 +336,12 @@ grub_iso9660_susp_iterate (grub_fshelp_n
}
entry = (struct grub_iso9660_susp_entry *) sua;
+
+ if (grub_strncmp ((char *) entry->sig, "CE", 2) == 0
+ || grub_strncmp ((char *) entry->sig, "ST", 2) == 0)
+ /* The hook function will not process CE or ST.
+ Advancing to the next entry would skip them. */
+ continue;
}
if (hook (entry, hook_arg))
---------------------------------------------------------------------------
Bystanders please note that the correctness of my "continue" depends
on Lidong Chen's patch 2, which changes the "for"-loop to a "while"-loop
with incrementation at the loop's end:
- for (entry = (struct grub_iso9660_susp_entry *) sua; (char *) entry < (char
*) sua + sua_size - 1 && entry->len > 0;
- entry = (struct grub_iso9660_susp_entry *)
- ((char *) entry + entry->len))
+ entry = (struct grub_iso9660_susp_entry *) sua;
+
+ while (entry->len > 0)
{
... loop content ...
+ entry = (struct grub_iso9660_susp_entry *) ((char *) entry + entry->len);
+
+ if (((sua + sua_size) - (char *) entry) < GRUB_ISO9660_SUSP_HEADER_SZ)
+ break;
}
In current grub-core/fs/iso9660.c we would have to goto the start of
the loop content, circumventing the incrementation step of "for".
Have a nice day :)
Thomas
- [PATCH v2 0/5] fs/iso9660: Fix out-of-bounds read, Lidong Chen, 2023/01/18
- [PATCH v2 4/5] fs/iso9660: Incorrect check for entry boundary, Lidong Chen, 2023/01/18
- [PATCH v2 3/5] fs/iso9660: Avoid reading past the entry boundary, Lidong Chen, 2023/01/18
- [PATCH v2 1/5] fs/iso9660: Add check to prevent infinite loop, Lidong Chen, 2023/01/18
- [PATCH v2 5/5] fs/iso9660: Prevent skipping CE or ST at start of continuation area, Lidong Chen, 2023/01/18
- Re: [PATCH v2 5/5] fs/iso9660: Prevent skipping CE or ST at start of continuation area,
Thomas Schmitt <=
- [PATCH v2 2/5] fs/iso9660: Prevent read past the end of system use area, Lidong Chen, 2023/01/18
- Re: [PATCH v2 0/5] fs/iso9660: Fix out-of-bounds read, Thomas Schmitt, 2023/01/18