From owner-freebsd-bugs@freebsd.org Thu Oct 8 18:41:23 2015 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8E63B9D2BF5 for ; Thu, 8 Oct 2015 18:41:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7B2D619B for ; Thu, 8 Oct 2015 18:41:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t98IfNnM003039 for ; Thu, 8 Oct 2015 18:41:23 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 203645] makefs: Coverity CID 976312: SIGSEGV with option -l 3 Date: Thu, 08 Oct 2015 18:41:23 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: scdbackup@gmx.net X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Oct 2015 18:41:23 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203645 Bug ID: 203645 Summary: makefs: Coverity CID 976312: SIGSEGV with option -l 3 Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: scdbackup@gmx.net usr.sbin/makefs/cd9660.c CID 976312: Explicit null dereferenced (FORWARD_NULL)i 4. var_deref_op: Dereferencing null pointer conversion_function. 1740 return (*conversion_function)(oldname, newname, is_file); --------------- Source analysis: The function pointer is non-NULL only if diskStructure.isoLevel is 1 or 2. A snippet in cd9660_parse_opts() indicates that the value can indeed be 3: option_t cd9660_options[] = { { "l", &diskStructure.isoLevel, 1, 3, "ISO Level" }, { "isolevel", &diskStructure.isoLevel, 1, 3, "ISO Level" }, ... The line 1740 is in function cd9660_convert_filename(). ISO 9660 level 3 allows the same file names as level 2. The use of ISO level 3 is not announced anywhere in the ISO image but rather becomes visible only if a file is large enough to need more than one extent. Extents can have 4 GiB - 1 byte of size. The offer of ISO level 3 is questionable because neither FreeBSD nor NetBSD can read files with multiple extents from ISO 9660. http://lists.freebsd.org/pipermail/freebsd-hackers/2012-April/038552.html Surely nobody has ever created a level 3 ISO with makefs. Not only would it SIGSEGV, but also the struct stat.st_size value is assigned to int64_t cd9660node.fileDataLength without any check in cd9660.c line 871: newnode->fileDataLength = node->inode->st.st_size; Later it is handed over to cd9660_bothendian_dword() which expects uint32_t (see cd9660/cd9660_conversion.c) cd9660.c line 834: cd9660_bothendian_dword(newnode->fileDataLength, newnode->isoDirRecord->size); So only one extent will be produced with a size as given by the low 4 bytes of the disk file size. --------------- Remedy proposal: Restrict isoLevel to 1 and 2. - { "l", &diskStructure.isoLevel, 1, 3, "ISO Level" }, - { "isolevel", &diskStructure.isoLevel, 1, 3, "ISO Level" }, + { "l", &diskStructure.isoLevel, 1, 2, "ISO Level" }, + { "isolevel", &diskStructure.isoLevel, 1, 2, "ISO Level" }, Restrict data file size to 4 GiB - 1 byte. /* Set the size */ - if (!(S_ISDIR(node->type))) + if (!(S_ISDIR(node->type))) { + if (node->inode->st.st_size > (off_t) 4096 * 1024 * 1024 - 1) { + + >>> error out in appropriate way <<< + + } newnode->fileDataLength = node->inode->st.st_size; + } To appease checkers use the same conversion function for all levels above 1: - else if (diskStructure.isoLevel == 2) + else conversion_function = &cd9660_level2_convert_filename; -- You are receiving this mail because: You are the assignee for the bug.