From owner-freebsd-bugs@FreeBSD.ORG  Tue Apr 11 15:00:42 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1350F16A4E5
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 11 Apr 2006 15:00:42 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6596143D68
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 11 Apr 2006 15:00:35 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k3BF0Z3G049171
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 11 Apr 2006 15:00:35 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k3BF0Zpl049170;
	Tue, 11 Apr 2006 15:00:35 GMT (envelope-from gnats)
Resent-Date: Tue, 11 Apr 2006 15:00:35 GMT
Resent-Message-Id: <200604111500.k3BF0Zpl049170@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Oliver Fromme <olli@secnetix.de>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 790EA16A400
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 11 Apr 2006 14:58:02 +0000 (UTC)
	(envelope-from olli@lurza.secnetix.de)
Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AFF9743D6A
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 11 Apr 2006 14:58:01 +0000 (GMT)
	(envelope-from olli@lurza.secnetix.de)
Received: from lurza.secnetix.de (fwdixg@localhost [127.0.0.1])
	by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k3BEvtvU041969;
	Tue, 11 Apr 2006 16:58:00 +0200 (CEST)
	(envelope-from oliver.fromme@secnetix.de)
Received: (from olli@localhost)
	by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k3BEvsxR041968;
	Tue, 11 Apr 2006 16:57:54 +0200 (CEST) (envelope-from olli)
Message-Id: <200604111457.k3BEvsxR041968@lurza.secnetix.de>
Date: Tue, 11 Apr 2006 16:57:54 +0200 (CEST)
From: Oliver Fromme <olli@secnetix.de>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: Oliver Fromme <olli@secnetix.de>
Subject: kern/95625: [PATCH] Bug in cdboot's ISO9660 file name matching
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Oliver Fromme <olli@secnetix.de>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Apr 2006 15:00:42 -0000


>Number:         95625
>Category:       kern
>Synopsis:       [PATCH] Bug in cdboot's ISO9660 file name matching
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 11 15:00:34 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Oliver Fromme
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
secnetix GmbH & Co. KG
		http://www.secnetix.de/bsd
>Environment:

   The bug is present in all versions of FreeBSD that have
   /boot/cdboot, including RELENG_5, RELENG_6 and HEAD.
   The cdboot program is used on i386 and amd64.

>Description:

   There's a bug in src/sys/boot/i386/cdboot/cdboot.s.
   I suggest you have a look at the simple patch below
   first -- it's pretty obvious.

   The code uses a string op loop (repe cmpsb) to compare
   the file name in the ISO9660 directory entry with the
   desired file name that should be loaded.

   However, after the loop, "jcxz" is used to decide
   whether the comparison produced a match.  That's not
   the right way to do it:  %cx is zero even if the last
   character did not match (provided that the file names
   are the same length, of course).

   That means that, if you have two file names that differ
   only in the last character, cdboot might try to load
   the wrong one (depending on which one appears first in
   the directory).

   The fix is simple:  Use "je" (jump if equal) instead
   of "jcxz", because cmpsb sets the zero flag when the
   characters compare equal (just like normal cmp).

>How-To-Repeat:

   Create a bootable FreeBSD CD that contains a file
   "/boot/loaded" (or similar) and watch cdboot loading
   the wrong file.

>Fix:

--- src/sys/boot/i386/cdboot/cdboot.s.orig	Tue Jun 22 23:55:22 2004
+++ src/sys/boot/i386/cdboot/cdboot.s	Tue Apr 11 16:39:48 2006
@@ -400,7 +400,7 @@
 ff.checkname:	lea DIR_NAME(%bx),%di		# Address name in record
 		push %si			# Save
 		repe cmpsb			# Compare name
-		jcxz ff.match			# We have a winner!
+		je ff.match			# We have a winner!
 		pop %si				# Restore
 		jmp ff.nextrec			# Keep looking.
 ff.match:	add $2,%sp			# Discard saved %si

>Release-Note:
>Audit-Trail:
>Unformatted: