[Bug 203646] makefs: Coverity CID 977470: Writes slightly wrong El Torito Boot Record
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Oct 8 18:51:14 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203646
Bug ID: 203646
Summary: makefs: Coverity CID 977470: Writes slightly wrong El
Torito Boot Record
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: freebsd-bugs at FreeBSD.org
Reporter: scdbackup at gmx.net
usr.sbin/makefs/cd9660/cd9660_eltorito.c
CID 977470: Out-of-bounds access (OVERRUN)
2. overrun-buffer-val: Overrunning array
diskStructure.boot_descriptor->boot_catalog_pointer of 4 bytes
by passing it to a function which accesses it at byte offset 4.
374 cd9660_bothendian_dword(first_sector,
375 diskStructure.boot_descriptor->boot_catalog_pointer);
--------------- Source analysis:
cd9660_bothendian_dword() indeed writes 8 bytes (both endian)
into boot_catalog_pointer.
usr.sbin/makefs/cd9660.h defines
typedef struct _iso9660_disk {
...
boot_volume_descriptor *boot_descriptor;
...
} iso9660_disk;
usr.sbin/makefs/cd9660/cd9660_eltorito.h defines
typedef struct _boot_volume_descriptor {
...
u_char boot_catalog_pointer [ISODCL(0x47,0x4A)];
u_char unused2 [ISODCL(0x4B,0x7FF)];
} boot_volume_descriptor;
So the overrun hits the first 4 bytes of .unused2 .
The little endian 4-byte value gets written to .boot_catalog_pointer,
even on big endian architectures. This could be very bad if used
for more computations.
But obviously this will only be written as byte string to the ISO
image.
El Torito 1.0 (1995) Figure 7 specifies bytes 0x4B to 0x7FFF
of the record as "Unused, must be 0."
But FreeBSD-11.0-CURRENT-amd64-20151001-r288459-disc1.iso
has at byte address (17 * 2048 + 0x4B) the values {0, 0, 0, 19}
which is the big endian address of the boot catalog.
--------------- Remedy proposal:
Use function cd9660_731() instead of cd9660_bothendian_dword():
- cd9660_bothendian_dword(first_sector,
+ cd9660_731(first_sector,
diskStructure.boot_descriptor->boot_catalog_pointer);
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list