Print this page
3027 installgrub can segfault when encountering bogus data on disk

Split Close
Expand all
Collapse all
          --- old/usr/src/cmd/boot/installboot/installboot.c
          +++ new/usr/src/cmd/boot/installboot/installboot.c
↓ open down ↓ 244 lines elided ↑ open up ↑
 245  245                  bblock->buf = NULL;
 246  246                  return (BC_ERROR);
 247  247          }
 248  248  
 249  249          /* Update pointers. */
 250  250          bblock->file = bblock->buf;
 251  251          bblock->mboot_off = mboot_off;
 252  252          bblock->mboot = (multiboot_header_t *)(bblock->buf + bblock->mboot_off
 253  253              + BBLK_DATA_RSVD_SIZE);
 254  254          bblock->extra = (char *)bblock->mboot + sizeof (multiboot_header_t);
      255 +        bblock->extra_size = bblock->buf_size - bblock->mboot_off
      256 +            - BBLK_DATA_RSVD_SIZE - sizeof (multiboot_header_t);
 255  257          return (BC_SUCCESS);
 256  258  }
 257  259  
 258  260  static boolean_t
 259  261  is_update_necessary(ib_data_t *data, char *updt_str)
 260  262  {
 261  263          bblk_einfo_t    *einfo;
 262  264          bblk_hs_t       bblock_hs;
 263  265          ib_bootblock_t  bblock_disk;
 264  266          ib_bootblock_t  *bblock_file = &data->bootblock;
↓ open down ↓ 7 lines elided ↑ open up ↑
 272  274          if (!is_zfs(device->type))
 273  275                  return (B_TRUE);
 274  276  
 275  277          bzero(&bblock_disk, sizeof (ib_bootblock_t));
 276  278  
 277  279          if (read_bootblock_from_disk(dev_fd, &bblock_disk) != BC_SUCCESS) {
 278  280                  BOOT_DEBUG("Unable to read bootblock from %s\n", device->path);
 279  281                  return (B_TRUE);
 280  282          }
 281  283  
 282      -        einfo = find_einfo(bblock_disk.extra);
      284 +        einfo = find_einfo(bblock_disk.extra, bblock_disk.extra_size);
 283  285          if (einfo == NULL) {
 284  286                  BOOT_DEBUG("No extended information available\n");
 285  287                  return (B_TRUE);
 286  288          }
 287  289  
 288  290          if (!do_version || updt_str == NULL) {
 289  291                  (void) fprintf(stdout, "WARNING: target device %s has a "
 290  292                      "versioned bootblock that is going to be overwritten by a "
 291  293                      "non versioned one\n", device->path);
 292  294                  return (B_TRUE);
↓ open down ↓ 416 lines elided ↑ open up ↑
 709  711          if (ret == BC_NOEXTRA) {
 710  712                  BOOT_DEBUG("No multiboot header found on %s, unable "
 711  713                      "to locate extra information area (old/non versioned "
 712  714                      "bootblock?) \n", device_path);
 713  715                  (void) fprintf(stderr, gettext("No extended information "
 714  716                      "found\n"));
 715  717                  retval = BC_NOEINFO;
 716  718                  goto out_dev;
 717  719          }
 718  720  
 719      -        einfo = find_einfo(bblock->extra);
      721 +        einfo = find_einfo(bblock->extra, bblock->extra_size);
 720  722          if (einfo == NULL) {
 721  723                  retval = BC_NOEINFO;
 722  724                  (void) fprintf(stderr, gettext("No extended information "
 723  725                      "found\n"));
 724  726                  goto out_dev;
 725  727          }
 726  728  
 727  729          /* Print the extended information. */
 728  730          if (strip)
 729  731                  flags |= EINFO_EASY_PARSE;
↓ open down ↓ 80 lines elided ↑ open up ↑
 810  812                  goto out_devs;
 811  813          }
 812  814  
 813  815          if (ret == BC_NOEXTRA) {
 814  816                  BOOT_DEBUG("No multiboot header found on %s, unable to retrieve"
 815  817                      " the bootblock\n", curr_device->path);
 816  818                  retval = BC_NOEXTRA;
 817  819                  goto out_devs;
 818  820          }
 819  821  
 820      -        einfo_curr = find_einfo(bblock_curr->extra);
      822 +        einfo_curr = find_einfo(bblock_curr->extra, bblock_curr->extra_size);
 821  823          if (einfo_curr != NULL)
 822  824                  updt_str = einfo_get_string(einfo_curr);
 823  825  
 824  826          retval = propagate_bootblock(&curr_data, &attach_data, updt_str);
 825  827          cleanup_bootblock(bblock_curr);
 826  828          cleanup_bootblock(bblock_attach);
 827  829  out_devs:
 828  830          cleanup_device(attach_device);
 829  831  out_currdev:
 830  832          cleanup_device(curr_device);
↓ open down ↓ 119 lines elided ↑ open up ↑
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX