kern/95625: [PATCH] Bug in cdboot's ISO9660 file name matching
olli at secnetix.de
Tue Apr 11 15:00:42 UTC 2006
>Synopsis: [PATCH] Bug in cdboot's ISO9660 file name matching
>Arrival-Date: Tue Apr 11 15:00:34 GMT 2006
>Originator: Oliver Fromme
>Release: FreeBSD 7.0-CURRENT i386
secnetix GmbH & Co. KG
The bug is present in all versions of FreeBSD that have
/boot/cdboot, including RELENG_5, RELENG_6 and HEAD.
The cdboot program is used on i386 and amd64.
There's a bug in src/sys/boot/i386/cdboot/cdboot.s.
I suggest you have a look at the simple patch below
first -- it's pretty obvious.
The code uses a string op loop (repe cmpsb) to compare
the file name in the ISO9660 directory entry with the
desired file name that should be loaded.
However, after the loop, "jcxz" is used to decide
whether the comparison produced a match. That's not
the right way to do it: %cx is zero even if the last
character did not match (provided that the file names
are the same length, of course).
That means that, if you have two file names that differ
only in the last character, cdboot might try to load
the wrong one (depending on which one appears first in
The fix is simple: Use "je" (jump if equal) instead
of "jcxz", because cmpsb sets the zero flag when the
characters compare equal (just like normal cmp).
Create a bootable FreeBSD CD that contains a file
"/boot/loaded" (or similar) and watch cdboot loading
the wrong file.
--- src/sys/boot/i386/cdboot/cdboot.s.orig Tue Jun 22 23:55:22 2004
+++ src/sys/boot/i386/cdboot/cdboot.s Tue Apr 11 16:39:48 2006
@@ -400,7 +400,7 @@
ff.checkname: lea DIR_NAME(%bx),%di # Address name in record
push %si # Save
repe cmpsb # Compare name
- jcxz ff.match # We have a winner!
+ je ff.match # We have a winner!
pop %si # Restore
jmp ff.nextrec # Keep looking.
ff.match: add $2,%sp # Discard saved %si
More information about the freebsd-bugs