[Bug 203645] makefs: Coverity CID 976312: SIGSEGV with option -l 3

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Oct 8 18:41:23 UTC 2015 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203645

            Bug ID: 203645
           Summary: makefs: Coverity CID 976312: SIGSEGV with option -l 3
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: scdbackup at gmx.net

usr.sbin/makefs/cd9660.c

CID 976312: Explicit null dereferenced (FORWARD_NULL)i
   4. var_deref_op: Dereferencing null pointer conversion_function.

1740        return (*conversion_function)(oldname, newname, is_file);

--------------- Source analysis:

The function pointer is non-NULL only if diskStructure.isoLevel is
1 or 2. A snippet in cd9660_parse_opts() indicates that the value
can indeed be 3:

         option_t cd9660_options[] = {
                 { "l", &diskStructure.isoLevel, 1, 3, "ISO Level" },
                 { "isolevel", &diskStructure.isoLevel, 1, 3, "ISO Level" },
                 ...



The line 1740 is in function cd9660_convert_filename().
ISO 9660 level 3 allows the same file names as level 2.

The use of ISO level 3 is not announced anywhere in the ISO
image but rather becomes visible only if a file is large enough
to need more than one extent. Extents can have 4 GiB - 1 byte
of size.

The offer of ISO level 3 is questionable because neither FreeBSD
nor NetBSD can read files with multiple extents from ISO 9660.
  http://lists.freebsd.org/pipermail/freebsd-hackers/2012-April/038552.html

Surely nobody has ever created a level 3 ISO with makefs.
Not only would it SIGSEGV, but also the struct stat.st_size value
is assigned to int64_t cd9660node.fileDataLength without any check in
cd9660.c line 871:
                newnode->fileDataLength = node->inode->st.st_size;
Later it is handed over to cd9660_bothendian_dword()
which expects uint32_t (see cd9660/cd9660_conversion.c)
cd9660.c line 834:
        cd9660_bothendian_dword(newnode->fileDataLength,
            newnode->isoDirRecord->size);
So only one extent will be produced with a size as given by the
low 4 bytes of the disk file size.

--------------- Remedy proposal:

Restrict isoLevel to 1 and 2.

-                { "l", &diskStructure.isoLevel, 1, 3, "ISO Level" },
-                { "isolevel", &diskStructure.isoLevel, 1, 3, "ISO Level" },
+                { "l", &diskStructure.isoLevel, 1, 2, "ISO Level" },
+                { "isolevel", &diskStructure.isoLevel, 1, 2, "ISO Level" },

Restrict data file size to 4 GiB - 1 byte.

        /* Set the size */
-       if (!(S_ISDIR(node->type)))
+       if (!(S_ISDIR(node->type))) {
+               if (node->inode->st.st_size > (off_t) 4096 * 1024 * 1024 - 1) {
+
+                       >>> error out in appropriate way <<<
+
+               }
                newnode->fileDataLength = node->inode->st.st_size;
+       }

To appease checkers use the same conversion function for all
levels above 1:

-         else if (diskStructure.isoLevel == 2)
+         else
                  conversion_function = &cd9660_level2_convert_filename;

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list