Site Navigation

Date:      Thu, 08 Oct 2015 18:51:13 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 203646] makefs: Coverity CID 977470: Writes slightly wrong El Torito Boot Record
Message-ID:  <bug-203646-8@https.bugs.freebsd.org/bugzilla/>

---

next in thread | raw e-mail | index | archive | help

---

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203646

            Bug ID: 203646
           Summary: makefs: Coverity CID 977470: Writes slightly wrong El
                    Torito Boot Record
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: scdbackup@gmx.net

usr.sbin/makefs/cd9660/cd9660_eltorito.c

CID 977470: Out-of-bounds access (OVERRUN)
   2. overrun-buffer-val: Overrunning array
   diskStructure.boot_descriptor->boot_catalog_pointer of 4 bytes
   by passing it to a function which accesses it at byte offset 4.

374        cd9660_bothendian_dword(first_sector,
375                diskStructure.boot_descriptor->boot_catalog_pointer);

--------------- Source analysis:

cd9660_bothendian_dword() indeed writes 8 bytes (both endian)
into boot_catalog_pointer.

usr.sbin/makefs/cd9660.h defines

  typedef struct _iso9660_disk {
          ...
          boot_volume_descriptor *boot_descriptor;
          ...
  } iso9660_disk;

usr.sbin/makefs/cd9660/cd9660_eltorito.h defines

  typedef struct _boot_volume_descriptor {
          ...
          u_char boot_catalog_pointer [ISODCL(0x47,0x4A)];
          u_char unused2 [ISODCL(0x4B,0x7FF)];
  } boot_volume_descriptor;

So the overrun hits the first 4 bytes of .unused2 .

The little endian 4-byte value gets written to .boot_catalog_pointer,
even on big endian architectures. This could be very bad if used
for more computations.
But obviously this will only be written as byte string to the ISO
image.

El Torito 1.0 (1995) Figure 7 specifies bytes 0x4B to 0x7FFF
of the record as "Unused, must be 0."
But FreeBSD-11.0-CURRENT-amd64-20151001-r288459-disc1.iso
has at byte address (17 * 2048 + 0x4B) the values {0, 0, 0, 19}
which is the big endian address of the boot catalog.

--------------- Remedy proposal:

Use function cd9660_731() instead of cd9660_bothendian_dword():

-        cd9660_bothendian_dword(first_sector,
+        cd9660_731(first_sector,
                 diskStructure.boot_descriptor->boot_catalog_pointer);

-- 
You are receiving this mail because:
You are the assignee for the bug.

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-203646-8>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact