[Bug 263663] damaged El Torito image can cause etdump to dump core

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 263663] damaged El Torito image can cause etdump to dump core"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 29 Apr 2022 19:13:54 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263663

            Bug ID: 263663
           Summary: damaged El Torito image can cause etdump to dump core
           Product: Base System
           Version: Unspecified
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 233589
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=233589&action=edit
a file that causes etdump to crash

dump_section() in /usr/src/usr.bin/etdump/etdump.c says:

        for (i = 1; i <= (int)sh->num_section_entries[0]; i++) {
                entry_offset = offset + i * ET_BOOT_ENTRY_SIZE;
                entry =
                    (boot_catalog_section_entry *)&buffer[entry_offset];

If sh->num_section_entries[0] is large, for example 255, it causes
etdump to read off the end of buffer[2048], and on my machine off the
end of the stack, and crash.

I've attached a demo image:

% uname -a
FreeBSD xxx 13.0-RELEASE-p4 FreeBSD 13.0-RELEASE-p4 #0: Tue Aug 24 07:33:27 UTC
2021    
root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC 
amd64
% etdump etbad2
etdump: etbad2: not a valid ISO
etdump: etbad2: not an El Torito bootable ISO
etdump: etbad2: boot catalog checksum is invalid
Image in etbad2

Section header: invalid
        Section entry
                System i386
                Start LBA 2021161080 (0x78787878), sector count 30840 (0x7878)
                Media type: invalid
Bus error (core dumped)

-- 
You are receiving this mail because:
You are the assignee for the bug.