From owner-freebsd-bugs@freebsd.org Thu Oct 8 18:51:13 2015 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E603F9D1BC2 for ; Thu, 8 Oct 2015 18:51:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B8B04F39 for ; Thu, 8 Oct 2015 18:51:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t98IpDp6017878 for ; Thu, 8 Oct 2015 18:51:13 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 203646] makefs: Coverity CID 977470: Writes slightly wrong El Torito Boot Record Date: Thu, 08 Oct 2015 18:51:13 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: scdbackup@gmx.net X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Oct 2015 18:51:14 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203646 Bug ID: 203646 Summary: makefs: Coverity CID 977470: Writes slightly wrong El Torito Boot Record Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: scdbackup@gmx.net usr.sbin/makefs/cd9660/cd9660_eltorito.c CID 977470: Out-of-bounds access (OVERRUN) 2. overrun-buffer-val: Overrunning array diskStructure.boot_descriptor->boot_catalog_pointer of 4 bytes by passing it to a function which accesses it at byte offset 4. 374 cd9660_bothendian_dword(first_sector, 375 diskStructure.boot_descriptor->boot_catalog_pointer); --------------- Source analysis: cd9660_bothendian_dword() indeed writes 8 bytes (both endian) into boot_catalog_pointer. usr.sbin/makefs/cd9660.h defines typedef struct _iso9660_disk { ... boot_volume_descriptor *boot_descriptor; ... } iso9660_disk; usr.sbin/makefs/cd9660/cd9660_eltorito.h defines typedef struct _boot_volume_descriptor { ... u_char boot_catalog_pointer [ISODCL(0x47,0x4A)]; u_char unused2 [ISODCL(0x4B,0x7FF)]; } boot_volume_descriptor; So the overrun hits the first 4 bytes of .unused2 . The little endian 4-byte value gets written to .boot_catalog_pointer, even on big endian architectures. This could be very bad if used for more computations. But obviously this will only be written as byte string to the ISO image. El Torito 1.0 (1995) Figure 7 specifies bytes 0x4B to 0x7FFF of the record as "Unused, must be 0." But FreeBSD-11.0-CURRENT-amd64-20151001-r288459-disc1.iso has at byte address (17 * 2048 + 0x4B) the values {0, 0, 0, 19} which is the big endian address of the boot catalog. --------------- Remedy proposal: Use function cd9660_731() instead of cd9660_bothendian_dword(): - cd9660_bothendian_dword(first_sector, + cd9660_731(first_sector, diskStructure.boot_descriptor->boot_catalog_pointer); -- You are receiving this mail because: You are the assignee for the bug.