From olli@lurza.secnetix.de  Tue Apr 11 14:58:02 2006
Return-Path: <olli@lurza.secnetix.de>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 790EA16A400
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 11 Apr 2006 14:58:02 +0000 (UTC)
	(envelope-from olli@lurza.secnetix.de)
Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AFF9743D6A
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 11 Apr 2006 14:58:01 +0000 (GMT)
	(envelope-from olli@lurza.secnetix.de)
Received: from lurza.secnetix.de (fwdixg@localhost [127.0.0.1])
	by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k3BEvtvU041969;
	Tue, 11 Apr 2006 16:58:00 +0200 (CEST)
	(envelope-from oliver.fromme@secnetix.de)
Received: (from olli@localhost)
	by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k3BEvsxR041968;
	Tue, 11 Apr 2006 16:57:54 +0200 (CEST)
	(envelope-from olli)
Message-Id: <200604111457.k3BEvsxR041968@lurza.secnetix.de>
Date: Tue, 11 Apr 2006 16:57:54 +0200 (CEST)
From: Oliver Fromme <olli@secnetix.de>
Reply-To: Oliver Fromme <olli@secnetix.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Oliver Fromme <olli@secnetix.de>
Subject: [PATCH] Bug in cdboot's ISO9660 file name matching
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         95625
>Category:       kern
>Synopsis:       [PATCH] Bug in cdboot's ISO9660 file name matching
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    jhb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 11 15:00:34 GMT 2006
>Closed-Date:    Mon Sep 25 09:59:19 GMT 2006
>Last-Modified:  Mon Sep 25 09:59:19 GMT 2006
>Originator:     Oliver Fromme
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
secnetix GmbH & Co. KG
		http://www.secnetix.de/bsd
>Environment:

   The bug is present in all versions of FreeBSD that have
   /boot/cdboot, including RELENG_5, RELENG_6 and HEAD.
   The cdboot program is used on i386 and amd64.

>Description:

   There's a bug in src/sys/boot/i386/cdboot/cdboot.s.
   I suggest you have a look at the simple patch below
   first -- it's pretty obvious.

   The code uses a string op loop (repe cmpsb) to compare
   the file name in the ISO9660 directory entry with the
   desired file name that should be loaded.

   However, after the loop, "jcxz" is used to decide
   whether the comparison produced a match.  That's not
   the right way to do it:  %cx is zero even if the last
   character did not match (provided that the file names
   are the same length, of course).

   That means that, if you have two file names that differ
   only in the last character, cdboot might try to load
   the wrong one (depending on which one appears first in
   the directory).

   The fix is simple:  Use "je" (jump if equal) instead
   of "jcxz", because cmpsb sets the zero flag when the
   characters compare equal (just like normal cmp).

>How-To-Repeat:

   Create a bootable FreeBSD CD that contains a file
   "/boot/loaded" (or similar) and watch cdboot loading
   the wrong file.

>Fix:

--- src/sys/boot/i386/cdboot/cdboot.s.orig	Tue Jun 22 23:55:22 2004
+++ src/sys/boot/i386/cdboot/cdboot.s	Tue Apr 11 16:39:48 2006
@@ -400,7 +400,7 @@
 ff.checkname:	lea DIR_NAME(%bx),%di		# Address name in record
 		push %si			# Save
 		repe cmpsb			# Compare name
-		jcxz ff.match			# We have a winner!
+		je ff.match			# We have a winner!
 		pop %si				# Restore
 		jmp ff.nextrec			# Keep looking.
 ff.match:	add $2,%sp			# Discard saved %si

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->jhb 
Responsible-Changed-By: ru 
Responsible-Changed-When: Tue Apr 11 15:34:38 UTC 2006 
Responsible-Changed-Why:  
Over to a likely committer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=95625 
State-Changed-From-To: open->patched 
State-Changed-By: jhb 
State-Changed-When: Tue Apr 11 17:27:16 UTC 2006 
State-Changed-Why:  
Patch applied, thanks!  Will MFC after the releases since this shouldn't 
affect the release ISOs. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=95625 
State-Changed-From-To: patched->closed 
State-Changed-By: delphij 
State-Changed-When: Mon Sep 25 09:58:42 UTC 2006 
State-Changed-Why:  
jhb@ MFC'ed the change as src/sys/boot/i386/cdboot/cdboot.s:1.13.8.3 

http://www.freebsd.org/cgi/query-pr.cgi?pr=95625 
>Unformatted:
