Print this page
3027 installgrub can segfault when encountering bogus data on disk
Split |
Close |
Expand all |
Collapse all |
--- old/usr/src/cmd/boot/common/mboot_extra.c
+++ new/usr/src/cmd/boot/common/mboot_extra.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
23 23 */
24 24
25 25 #include <stdio.h>
26 26 #include <errno.h>
27 27 #include <assert.h>
28 28 #include <unistd.h>
29 29 #include <libintl.h>
30 30 #include <sys/multiboot.h>
31 31 #include <sys/sysmacros.h>
32 32
33 33 #include "bblk_einfo.h"
34 34 #include "boot_utils.h"
35 35 #include "mboot_extra.h"
36 36
37 37 /*
38 38 * Common functions to deal with the fake-multiboot encapsulation of the
39 39 * bootblock and the location of the extra information area.
40 40 */
41 41
42 42 /* mboot checksum routine. */
43 43 uint32_t
44 44 compute_checksum(char *data, uint32_t size)
45 45 {
46 46 uint32_t *ck_ptr;
47 47 uint32_t cksum = 0;
48 48 int i;
49 49
50 50 ck_ptr = (uint32_t *)data;
51 51 for (i = 0; i < size; i += sizeof (uint32_t))
52 52 cksum += *ck_ptr++;
53 53
54 54 return (-cksum);
55 55 }
56 56
57 57 /* Given a buffer, look for a multiboot header within it. */
58 58 int
59 59 find_multiboot(char *buffer, uint32_t buf_size, uint32_t *mboot_off)
60 60 {
61 61 multiboot_header_t *mboot;
62 62 uint32_t *iter;
63 63 uint32_t cksum;
64 64 uint32_t boundary;
65 65 int i = 0;
66 66
67 67 iter = (uint32_t *)buffer;
68 68 *mboot_off = 0;
69 69 /* multiboot header has to be within the first 32K. */
70 70 boundary = MBOOT_SCAN_SIZE;
71 71 if (boundary > buf_size)
72 72 boundary = buf_size;
73 73
74 74 boundary = boundary - sizeof (multiboot_header_t);
75 75
76 76 for (i = 0; i < boundary; i += 4, iter++) {
77 77
78 78 mboot = (multiboot_header_t *)iter;
79 79 if (mboot->magic != MB_HEADER_MAGIC)
80 80 continue;
81 81
82 82 /* Found magic signature -- check checksum. */
83 83 cksum = -(mboot->flags + mboot->magic);
84 84 if (mboot->checksum != cksum) {
85 85 BOOT_DEBUG("multiboot magic found at %p, but checksum "
86 86 "mismatches (is %x, should be %x)\n", mboot,
87 87 mboot->checksum, cksum);
88 88 continue;
89 89 } else {
90 90 if (!(mboot->flags & BB_MBOOT_AOUT_FLAG)) {
91 91 BOOT_DEBUG("multiboot structure found, but no "
92 92 "AOUT kludge specified, skipping.\n");
93 93 continue;
94 94 } else {
95 95 /* proper multiboot structure found. */
96 96 *mboot_off = i;
97 97 return (BC_SUCCESS);
98 98 }
99 99 }
↓ open down ↓ |
99 lines elided |
↑ open up ↑ |
100 100 }
101 101
102 102 return (BC_ERROR);
103 103 }
104 104
105 105 /*
106 106 * Given a pointer to the extra information area (a sequence of bb_header_ext_t
107 107 * + payload chunks), find the extended information structure.
108 108 */
109 109 bblk_einfo_t *
110 -find_einfo(char *extra)
110 +find_einfo(char *extra, uint32_t size)
111 111 {
112 112 bb_header_ext_t *ext_header;
113 113 bblk_einfo_t *einfo;
114 114 uint32_t cksum;
115 115
116 116 assert(extra != NULL);
117 117
118 118 ext_header = (bb_header_ext_t *)extra;
119 + if (ext_header->size > size) {
120 + BOOT_DEBUG("Unable to find extended versioning information, "
121 + "data size too big\n");
122 + return (NULL);
123 + }
124 +
119 125 cksum = compute_checksum(extra + sizeof (bb_header_ext_t),
120 126 ext_header->size);
121 127 BOOT_DEBUG("Extended information header checksum is %x\n", cksum);
122 128
123 129 if (cksum != ext_header->checksum) {
124 130 BOOT_DEBUG("Unable to find extended versioning information, "
125 131 "data looks corrupted\n");
126 132 return (NULL);
127 133 }
128 134
129 135 /*
130 136 * Currently we only have one extra header so it must be encapsulating
131 137 * the extended information structure.
132 138 */
133 139 einfo = (bblk_einfo_t *)(extra + sizeof (bb_header_ext_t));
134 140 if (memcmp(einfo->magic, EINFO_MAGIC, EINFO_MAGIC_SIZE) != 0) {
135 141 BOOT_DEBUG("Unable to read stage2 extended versioning "
136 142 "information, wrong magic identifier\n");
137 143 BOOT_DEBUG("Found %s, expected %s\n", einfo->magic,
138 144 EINFO_MAGIC);
139 145 return (NULL);
140 146 }
141 147
142 148 return (einfo);
143 149 }
144 150
145 151 /*
146 152 * Given a pointer to the extra area, add the extended information structure
147 153 * encapsulated by a bb_header_ext_t structure.
148 154 */
149 155 void
150 156 add_einfo(char *extra, char *updt_str, bblk_hs_t *hs, uint32_t avail_space)
151 157 {
152 158 bb_header_ext_t *ext_hdr;
153 159 uint32_t used_space;
154 160 unsigned char *dest;
155 161 int ret;
156 162
157 163 assert(extra != NULL);
158 164
159 165 if (updt_str == NULL) {
160 166 BOOT_DEBUG("WARNING: no update string passed to "
161 167 "add_stage2_einfo()\n");
162 168 return;
163 169 }
164 170
165 171 /* Reserve space for the extra header. */
166 172 ext_hdr = (bb_header_ext_t *)extra;
167 173 dest = (unsigned char *)extra + sizeof (*ext_hdr);
168 174 /* Place the extended information structure. */
169 175 ret = prepare_and_write_einfo(dest, updt_str, hs, avail_space,
170 176 &used_space);
171 177 if (ret != 0) {
172 178 (void) fprintf(stderr, gettext("Unable to write the extended "
173 179 "versioning information\n"));
174 180 return;
175 181 }
176 182
177 183 /* Fill the extended information associated header. */
178 184 ext_hdr->size = P2ROUNDUP(used_space, 8);
179 185 ext_hdr->checksum = compute_checksum((char *)dest, ext_hdr->size);
180 186 }
↓ open down ↓ |
52 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX