[Bug 203646] makefs: Coverity CID 977470: Writes slightly wrong El Torito Boot Record

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Oct 8 18:51:14 UTC 2015 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203646

            Bug ID: 203646
           Summary: makefs: Coverity CID 977470: Writes slightly wrong El
                    Torito Boot Record
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: scdbackup at gmx.net

usr.sbin/makefs/cd9660/cd9660_eltorito.c

CID 977470: Out-of-bounds access (OVERRUN)
   2. overrun-buffer-val: Overrunning array
   diskStructure.boot_descriptor->boot_catalog_pointer of 4 bytes
   by passing it to a function which accesses it at byte offset 4.

374        cd9660_bothendian_dword(first_sector,
375                diskStructure.boot_descriptor->boot_catalog_pointer);

--------------- Source analysis:

cd9660_bothendian_dword() indeed writes 8 bytes (both endian)
into boot_catalog_pointer.

usr.sbin/makefs/cd9660.h defines

  typedef struct _iso9660_disk {
          ...
          boot_volume_descriptor *boot_descriptor;
          ...
  } iso9660_disk;

usr.sbin/makefs/cd9660/cd9660_eltorito.h defines

  typedef struct _boot_volume_descriptor {
          ...
          u_char boot_catalog_pointer [ISODCL(0x47,0x4A)];
          u_char unused2 [ISODCL(0x4B,0x7FF)];
  } boot_volume_descriptor;

So the overrun hits the first 4 bytes of .unused2 .

The little endian 4-byte value gets written to .boot_catalog_pointer,
even on big endian architectures. This could be very bad if used
for more computations.
But obviously this will only be written as byte string to the ISO
image.

El Torito 1.0 (1995) Figure 7 specifies bytes 0x4B to 0x7FFF
of the record as "Unused, must be 0."
But FreeBSD-11.0-CURRENT-amd64-20151001-r288459-disc1.iso
has at byte address (17 * 2048 + 0x4B) the values {0, 0, 0, 19}
which is the big endian address of the boot catalog.

--------------- Remedy proposal:

Use function cd9660_731() instead of cd9660_bothendian_dword():

-        cd9660_bothendian_dword(first_sector,
+        cd9660_731(first_sector,
                 diskStructure.boot_descriptor->boot_catalog_pointer);

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list