[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-bugs
Subject: [Bug 263663] damaged El Torito image can cause etdump to dump core
From: bugzilla-noreply () freebsd ! org
Date: 2022-04-29 19:13:54
Message-ID: bug-263663-227 () https ! bugs ! freebsd ! org/bugzilla/
[Download RAW message or body]
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263663
Bug ID: 263663
Summary: damaged El Torito image can cause etdump to dump core
Product: Base System
Version: Unspecified
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: bugs@FreeBSD.org
Reporter: rtm@lcs.mit.edu
Created attachment 233589
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=233589&action=edit
a file that causes etdump to crash
dump_section() in /usr/src/usr.bin/etdump/etdump.c says:
for (i = 1; i <= (int)sh->num_section_entries[0]; i++) {
entry_offset = offset + i * ET_BOOT_ENTRY_SIZE;
entry =
(boot_catalog_section_entry *)&buffer[entry_offset];
If sh->num_section_entries[0] is large, for example 255, it causes
etdump to read off the end of buffer[2048], and on my machine off the
end of the stack, and crash.
I've attached a demo image:
% uname -a
FreeBSD xxx 13.0-RELEASE-p4 FreeBSD 13.0-RELEASE-p4 #0: Tue Aug 24 07:33:27 UTC
2021
root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC
amd64
% etdump etbad2
etdump: etbad2: not a valid ISO
etdump: etbad2: not an El Torito bootable ISO
etdump: etbad2: boot catalog checksum is invalid
Image in etbad2
Section header: invalid
Section entry
System i386
Start LBA 2021161080 (0x78787878), sector count 30840 (0x7878)
Media type: invalid
Bus error (core dumped)
--
You are receiving this mail because:
You are the assignee for the bug.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic