Created attachment 233589 [details] a file that causes etdump to crash dump_section() in /usr/src/usr.bin/etdump/etdump.c says: for (i = 1; i <= (int)sh->num_section_entries[0]; i++) { entry_offset = offset + i * ET_BOOT_ENTRY_SIZE; entry = (boot_catalog_section_entry *)&buffer[entry_offset]; If sh->num_section_entries[0] is large, for example 255, it causes etdump to read off the end of buffer[2048], and on my machine off the end of the stack, and crash. I've attached a demo image: % uname -a FreeBSD xxx 13.0-RELEASE-p4 FreeBSD 13.0-RELEASE-p4 #0: Tue Aug 24 07:33:27 UTC 2021 root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 % etdump etbad2 etdump: etbad2: not a valid ISO etdump: etbad2: not an El Torito bootable ISO etdump: etbad2: boot catalog checksum is invalid Image in etbad2 Section header: invalid Section entry System i386 Start LBA 2021161080 (0x78787878), sector count 30840 (0x7878) Media type: invalid Bus error (core dumped)
https://reviews.freebsd.org/D35868
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=ddf77ec392717e7eaf278c0f201b561afac97b87 commit ddf77ec392717e7eaf278c0f201b561afac97b87 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2022-05-03 20:13:37 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-03-22 13:12:45 +0000 etdump: exit on error if section header or entry offset is OOB PR: 263663 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: markj MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35868 usr.bin/etdump/etdump.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=dc3d0ff61575870614ba3691a0cbbbf8f6ff2065 commit dc3d0ff61575870614ba3691a0cbbbf8f6ff2065 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2022-05-03 20:13:37 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-03-23 12:49:43 +0000 etdump: exit on error if section header or entry offset is OOB PR: 263663 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: markj MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35868 (cherry picked from commit ddf77ec392717e7eaf278c0f201b561afac97b87) usr.bin/etdump/etdump.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3976ad45bb0646dc2f0a98c138239f1eb84ac0e7 commit 3976ad45bb0646dc2f0a98c138239f1eb84ac0e7 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2022-05-03 20:13:37 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-03-23 12:53:04 +0000 etdump: exit on error if section header or entry offset is OOB PR: 263663 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: markj MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35868 (cherry picked from commit ddf77ec392717e7eaf278c0f201b561afac97b87) usr.bin/etdump/etdump.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-)
Now fixed in all supported branches. Thanks again Robert for finding all of these bugs!