Date: Tue, 11 Apr 2006 16:57:54 +0200 (CEST) From: Oliver Fromme <olli@secnetix.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Oliver Fromme <olli@secnetix.de> Subject: kern/95625: [PATCH] Bug in cdboot's ISO9660 file name matching Message-ID: <200604111457.k3BEvsxR041968@lurza.secnetix.de> Resent-Message-ID: <200604111500.k3BF0Zpl049170@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 95625 >Category: kern >Synopsis: [PATCH] Bug in cdboot's ISO9660 file name matching >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Apr 11 15:00:34 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Oliver Fromme >Release: FreeBSD 7.0-CURRENT i386 >Organization: secnetix GmbH & Co. KG http://www.secnetix.de/bsd >Environment: The bug is present in all versions of FreeBSD that have /boot/cdboot, including RELENG_5, RELENG_6 and HEAD. The cdboot program is used on i386 and amd64. >Description: There's a bug in src/sys/boot/i386/cdboot/cdboot.s. I suggest you have a look at the simple patch below first -- it's pretty obvious. The code uses a string op loop (repe cmpsb) to compare the file name in the ISO9660 directory entry with the desired file name that should be loaded. However, after the loop, "jcxz" is used to decide whether the comparison produced a match. That's not the right way to do it: %cx is zero even if the last character did not match (provided that the file names are the same length, of course). That means that, if you have two file names that differ only in the last character, cdboot might try to load the wrong one (depending on which one appears first in the directory). The fix is simple: Use "je" (jump if equal) instead of "jcxz", because cmpsb sets the zero flag when the characters compare equal (just like normal cmp). >How-To-Repeat: Create a bootable FreeBSD CD that contains a file "/boot/loaded" (or similar) and watch cdboot loading the wrong file. >Fix: --- src/sys/boot/i386/cdboot/cdboot.s.orig Tue Jun 22 23:55:22 2004 +++ src/sys/boot/i386/cdboot/cdboot.s Tue Apr 11 16:39:48 2006 @@ -400,7 +400,7 @@ ff.checkname: lea DIR_NAME(%bx),%di # Address name in record push %si # Save repe cmpsb # Compare name - jcxz ff.match # We have a winner! + je ff.match # We have a winner! pop %si # Restore jmp ff.nextrec # Keep looking. ff.match: add $2,%sp # Discard saved %si >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604111457.k3BEvsxR041968>