Date: Thu, 08 Oct 2015 18:51:13 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 203646] makefs: Coverity CID 977470: Writes slightly wrong El Torito Boot Record Message-ID: <bug-203646-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203646 Bug ID: 203646 Summary: makefs: Coverity CID 977470: Writes slightly wrong El Torito Boot Record Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: scdbackup@gmx.net usr.sbin/makefs/cd9660/cd9660_eltorito.c CID 977470: Out-of-bounds access (OVERRUN) 2. overrun-buffer-val: Overrunning array diskStructure.boot_descriptor->boot_catalog_pointer of 4 bytes by passing it to a function which accesses it at byte offset 4. 374 cd9660_bothendian_dword(first_sector, 375 diskStructure.boot_descriptor->boot_catalog_pointer); --------------- Source analysis: cd9660_bothendian_dword() indeed writes 8 bytes (both endian) into boot_catalog_pointer. usr.sbin/makefs/cd9660.h defines typedef struct _iso9660_disk { ... boot_volume_descriptor *boot_descriptor; ... } iso9660_disk; usr.sbin/makefs/cd9660/cd9660_eltorito.h defines typedef struct _boot_volume_descriptor { ... u_char boot_catalog_pointer [ISODCL(0x47,0x4A)]; u_char unused2 [ISODCL(0x4B,0x7FF)]; } boot_volume_descriptor; So the overrun hits the first 4 bytes of .unused2 . The little endian 4-byte value gets written to .boot_catalog_pointer, even on big endian architectures. This could be very bad if used for more computations. But obviously this will only be written as byte string to the ISO image. El Torito 1.0 (1995) Figure 7 specifies bytes 0x4B to 0x7FFF of the record as "Unused, must be 0." But FreeBSD-11.0-CURRENT-amd64-20151001-r288459-disc1.iso has at byte address (17 * 2048 + 0x4B) the values {0, 0, 0, 19} which is the big endian address of the boot catalog. --------------- Remedy proposal: Use function cd9660_731() instead of cd9660_bothendian_dword(): - cd9660_bothendian_dword(first_sector, + cd9660_731(first_sector, diskStructure.boot_descriptor->boot_catalog_pointer); -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-203646-8>