thr3ads.net - Syslinux - [syslinux] [PATCH] gfxboot: fix buffer overrun when loading kernel/initramfs [Jul 2010]

If this information is useful, please help other people find it:
Share via:

Colin Watson

2010-Jul-14 13:11 UTC

[syslinux] [PATCH] gfxboot: fix buffer overrun when loading kernel/initramfs

If the file size wasn't a multiple of 64KB, we could overwrite the next
entry in the malloc arena so reading the initramfs would fail.

Signed-off-by: Colin Watson <cjwatson at ubuntu.com>
---
 com32/gfxboot/gfxboot.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/com32/gfxboot/gfxboot.c b/com32/gfxboot/gfxboot.c
index dd4d641..0fbfadd 100644
--- a/com32/gfxboot/gfxboot.c
+++ b/com32/gfxboot/gfxboot.c
@@ -21,6 +21,7 @@
 #include <fcntl.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <minmax.h>
 
 #include <syslinux/loadfile.h>
 #include <syslinux/config.h>
@@ -749,7 +750,7 @@ void *load_one(char *file, ssize_t *file_size)
   if(size) {
     buf = malloc(size);
     for(i = 1, cur = 0 ; cur < size && i > 0; cur += i) {
-      i = save_read(fd, buf + cur, CHUNK_SIZE);
+      i = save_read(fd, buf + cur, min(CHUNK_SIZE, size - cur));
       if(i == -1) break;
       gfx_progress_update(i);
     }
-- 
1.7.1

Sebastian Herbszt

2010-Jul-15 12:54 UTC

head link

[syslinux] [PATCH] gfxboot: fix buffer overrun when loadingkernel/initramfs

Colin Watson wrote:> If the file size wasn't a multiple of 64KB, we could overwrite the next
> entry in the malloc arena so reading the initramfs would fail.
Can you please describe how to reproduce the problem you're facing?
> Signed-off-by: Colin Watson <cjwatson at ubuntu.com>
> ---
> com32/gfxboot/gfxboot.c |    3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/com32/gfxboot/gfxboot.c b/com32/gfxboot/gfxboot.c
> index dd4d641..0fbfadd 100644
> --- a/com32/gfxboot/gfxboot.c
> +++ b/com32/gfxboot/gfxboot.c
> @@ -21,6 +21,7 @@
> #include <fcntl.h>
> #include <sys/types.h>
> #include <sys/stat.h>
> +#include <minmax.h>
> 
> #include <syslinux/loadfile.h>
> #include <syslinux/config.h>
> @@ -749,7 +750,7 @@ void *load_one(char *file, ssize_t *file_size)
>   if(size) {
>     buf = malloc(size);
>     for(i = 1, cur = 0 ; cur < size && i > 0; cur += i) {
> -      i = save_read(fd, buf + cur, CHUNK_SIZE);
> +      i = save_read(fd, buf + cur, min(CHUNK_SIZE, size - cur));
If there are fewer bytes to read (e.g. size-cur) than we request (CHUNK_SIZE)
the
read() call should return the fewer bytes (i == size-cur) and not overrun buf.
>       if(i == -1) break;
>       gfx_progress_update(i);
>     }
> -- 
> 1.7.1
Sebastian

Apparently Analagous Threads

Search for more apparently analagous threads

Syslinux - Jul 2010 - [PATCH] gfxboot: fix buffer overrun when loading kernel/initramfs

[syslinux] [PATCH] gfxboot: fix buffer overrun when loading kernel/initramfs

[syslinux] [PATCH] gfxboot: fix buffer overrun when loadingkernel/initramfs

Apparently Analagous Threads