git: 3df4c387d2e3 - main - libsa: Fix infinite loop in bzipfs & gzipfs

David Bright dab at FreeBSD.org
Tue Jun 1 16:08:28 UTC 2021 

The branch main has been updated by dab:

URL: https://cgit.FreeBSD.org/src/commit/?id=3df4c387d2e3ca4c2391fb837540b048f60a11c2

commit 3df4c387d2e3ca4c2391fb837540b048f60a11c2
Author:     David Bright <dab at FreeBSD.org>
AuthorDate: 2021-05-24 17:12:15 +0000
Commit:     David Bright <dab at FreeBSD.org>
CommitDate: 2021-06-01 16:08:20 +0000

    libsa: Fix infinite loop in bzipfs & gzipfs
    
    A bug in the loader's bzipfs & gzipfs filesystems caused compressed
    kernel and modules not to work on EFI systems with a veriexec-enabled
    loader. Since the size of files in these filesystems are not known
    _a priori_ `stat` would initialize the size to -1 and the loader would
    then hang in an infinite loop while trying to seek (read) to the end
    of file since the loop termination condition compares the current
    offset to that negative target position.
    
    Reviewers:      vangyzen, imp, Bret Ketchum (Bret.Ketchum at dell.com)
    Differential Revision:  https://reviews.freebsd.org/D30414
    Sponsored by:   Dell EMC Isilon
    MFC to:      stable/12, stable/13
    MFC after:   1 week
---
 stand/libsa/bzipfs.c | 3 +++
 stand/libsa/gzipfs.c | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/stand/libsa/bzipfs.c b/stand/libsa/bzipfs.c
index 47380ae72e5e..bb67bda2aa19 100644
--- a/stand/libsa/bzipfs.c
+++ b/stand/libsa/bzipfs.c
@@ -340,6 +340,9 @@ bzf_seek(struct open_file *f, off_t offset, int where)
 	    target - bzf->bzf_bzstream.total_out_lo32), NULL);
 	if (errno)
 	    return(-1);
+	/* Break out of loop if end of file has been reached. */
+	if (bzf->bzf_endseen)
+	    break;
     }
     /* This is where we are (be honest if we overshot) */
     return(bzf->bzf_bzstream.total_out_lo32);
diff --git a/stand/libsa/gzipfs.c b/stand/libsa/gzipfs.c
index 39e2f98eb1e0..8154b0f95a9a 100644
--- a/stand/libsa/gzipfs.c
+++ b/stand/libsa/gzipfs.c
@@ -315,6 +315,9 @@ zf_seek(struct open_file *f, off_t offset, int where)
 	    target - zf->zf_zstream.total_out), NULL);
 	if (errno)
 	    return(-1);
+	/* Break out of loop if end of file has been reached. */
+	if (zf->zf_endseen)
+	    break;
     }
     /* This is where we are (be honest if we overshot) */
     return(zf->zf_zstream.total_out);

More information about the dev-commits-src-main mailing list