Bug 272896 - cd9660_rrip_*() can read beyond the end of a buf
Summary: cd9660_rrip_*() can read beyond the end of a buf
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-08-02 15:52 UTC by Robert Morris
Modified: 2023-08-02 23:24 UTC (History)
2 users (show)

See Also:

Attachments
a cd9660 image that causes cd9660_rrip_cont() to read beyond the end of a buf (15.37 KB, application/x-gzip)
2023-08-02 15:52 UTC, Robert Morris 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2023-08-02 15:52:56 UTC 
Created attachment 243805 [details]
a cd9660 image that causes cd9660_rrip_cont() to read beyond the end of a buf

cd9660_rrip_loop() checks that the SUSP header is within the buf:

                while (pend >= phead + 1) {

But individual RRIP functions access fields beyond phead+1, and as a
result can crash if phead is just before the end of the buf.

I've attached a demo image:

# gunzip cd1a.iso.gz
# mdconfig cd1a.iso
# mount_cd9660 /dev/md0 /mnt
panic: vm_fault_lookup: fault on nofault entry, addr: 0xffffffc003a35000
--- exception 13, tval = 0xffffffc003a35001
isonum_733() at isonum_733+0x8
cd9660_rrip_cont() at cd9660_rrip_cont+0x16
cd9660_rrip_loop() at cd9660_rrip_loop+0xfa
cd9660_rrip_offset() at cd9660_rrip_offset+0x70
iso_mountfs() at iso_mountfs+0x692
cd9660_mount() at cd9660_mount+0x1a2
vfs_domount_first() at vfs_domount_first+0x1cc
vfs_domount() at vfs_domount+0x26c
vfs_donmount() at vfs_donmount+0x82c
sys_nmount() at sys_nmount+0x5e
syscallenter() at syscallenter+0xe0
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xf2
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- syscall (378, FreeBSD ELF64, nmount)