Date: Wed, 02 Aug 2023 15:52:56 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 272896] cd9660_rrip_*() can read beyond the end of a buf Message-ID: <bug-272896-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272896 Bug ID: 272896 Summary: cd9660_rrip_*() can read beyond the end of a buf Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 243805 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D243805&action= =3Dedit a cd9660 image that causes cd9660_rrip_cont() to read beyond the end of a b= uf cd9660_rrip_loop() checks that the SUSP header is within the buf: while (pend >=3D phead + 1) { But individual RRIP functions access fields beyond phead+1, and as a result can crash if phead is just before the end of the buf. I've attached a demo image: # gunzip cd1a.iso.gz # mdconfig cd1a.iso # mount_cd9660 /dev/md0 /mnt panic: vm_fault_lookup: fault on nofault entry, addr: 0xffffffc003a35000 --- exception 13, tval =3D 0xffffffc003a35001 isonum_733() at isonum_733+0x8 cd9660_rrip_cont() at cd9660_rrip_cont+0x16 cd9660_rrip_loop() at cd9660_rrip_loop+0xfa cd9660_rrip_offset() at cd9660_rrip_offset+0x70 iso_mountfs() at iso_mountfs+0x692 cd9660_mount() at cd9660_mount+0x1a2 vfs_domount_first() at vfs_domount_first+0x1cc vfs_domount() at vfs_domount+0x26c vfs_donmount() at vfs_donmount+0x82c sys_nmount() at sys_nmount+0x5e syscallenter() at syscallenter+0xe0 ecall_handler() at ecall_handler+0x18 do_trap_user() at do_trap_user+0xf2 cpu_exception_handler_user() at cpu_exception_handler_user+0x72 --- syscall (378, FreeBSD ELF64, nmount) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-272896-227>