GitList

Browse code

gpt: warning on non-protective mbr detection

Kevin Lin authored on 2014/02/11 07:08:45
Showing 3 changed files

libclamav/gpt.c index f017f9b..cd98848 100644
libclamav/mbr.c index f28e641..da022a2 100644
libclamav/mbr.h index 93a60bb..58e349a 100644

@@ -34,6 +34,7 @@
                      #include "cltypes.h"
                      #include "others.h"
                      #include "gpt.h"
                     +#include "mbr.h"
                      #include "str.h"
                      #include "prtn_intxn.h"
                      #include "scanners.h"
@@ -63,6 +64,7 @@ enum GPT_SCANSTATE {
                      static int gpt_scan_partitions(cli_ctx *ctx, struct gpt_header hdr, size_t sectorsize);
                      static int gpt_validate_header(cli_ctx *ctx, struct gpt_header hdr, size_t sectorsize);
                     +static int gpt_check_mbr(cli_ctx *ctx, size_t sectorsize);
                      static void gpt_printSectors(cli_ctx *ctx, size_t sectorsize);
                      static void gpt_printName(uint16_t name[], const char* msg);
                      static void gpt_printGUID(uint8_t GUID[], const char* msg);
@@ -111,7 +113,7 @@ int cli_scangpt(cli_ctx *ctx, size_t sectorsize)
                          /* sector size calculatation */
                          if (sectorsize == 0) {
                              sectorsize = gpt_detect_size((*ctx->fmap));
                     -        cli_errmsg("cli_scangpt: detected %u sector size\n", sectorsize);
                     +        cli_dbgmsg("cli_scangpt: detected %u sector size\n", sectorsize);
+                         }
                          if (sectorsize == 0) {
                              cli_errmsg("cli_scangpt: could not detemine sector size\n");
@@ -126,6 +128,14 @@ int cli_scangpt(cli_ctx *ctx, size_t sectorsize)
                              return CL_EFORMAT;
+                         }
                     +    /* check the protective mbr */
                     +    ret = gpt_check_mbr(ctx, sectorsize);
                     +    if ((ret != CL_CLEAN) &&
                     +        !((ctx->options & CL_SCAN_ALLMATCHES) && (ret == CL_VIRUS))) {
+                    +
                     +        return ret;
                     +    }
+                    +
                          pos = GPT_PRIMARY_HDR_LBA * sectorsize; /* sector 1 (second sector) is the primary gpt header */
                          /* read primary gpt header */
@@ -454,6 +464,58 @@ static int gpt_validate_header(cli_ctx *ctx, struct gpt_header hdr, size_t secto
                          return CL_SUCCESS;
+                     }
                     +static int gpt_check_mbr(cli_ctx *ctx, size_t sectorsize)
                     +{
                     +    struct mbr_boot_record pmbr;
                     +    off_t pos = 0, mbr_base = 0;
                     +    int ret = CL_CLEAN;
                     +    unsigned i = 0;
+                    +
                     +    /* read the mbr */
                     +    mbr_base = sectorsize - sizeof(struct mbr_boot_record);
                     +    pos = (MBR_SECTOR * sectorsize) + mbr_base;
+                    +
                     +    if (fmap_readn(*ctx->fmap, &pmbr, pos, sizeof(pmbr)) != sizeof(pmbr)) {
                     +        cli_dbgmsg("cli_scangpt: Invalid primary MBR header\n");
                     +        return CL_EFORMAT;
                     +    }
+                    +
                     +    /* convert mbr */
                     +    mbr_convert_to_host(&pmbr);
+                    +
                     +    /* check the protective mbr - warning */
                     +    if (pmbr.entries[0].type == MBR_PROTECTIVE) {
                     +        /* check the efi partition matches the gpt spec */
                     +        if (pmbr.entries[0].firstLBA != GPT_PRIMARY_HDR_LBA) {
                     +            cli_warnmsg("cli_scangpt: protective MBR first LBA is incorrect %u\n",
                     +                        pmbr.entries[0].firstLBA);
                     +        }
+                    +
                     +        /* other entries are empty */
                     +        for (i = 1; i < MBR_MAX_PARTITION_ENTRIES; ++i) {
                     +            if (pmbr.entries[i].type != MBR_EMPTY) {
                     +                cli_warnmsg("cli_scangpt: protective MBR has non-empty partition\n");
                     +                break;
                     +            }
                     +        }
                     +    }
                     +    else if (pmbr.entries[0].type == MBR_HYBRID) {
                     +        /* hybrid mbr detected */
                     +        cli_warnmsg("cli_scangpt: detected a hybrid MBR\n");
                     +    }
                     +    else {
                     +        /* non-protective mbr detected */
                     +        cli_warnmsg("cli_scangpt: detected a non-protective MBR\n");
                     +    }
+                    +
                     +    /* scan the bootloader segment - pushed to scanning mbr */
                     +    /* check if MBR size matches GPT size */
                     +    /* check if the MBR and GPT partitions align - heuristic */
                     +    /* scan the MBR partitions - additional scans */
+                    +
                     +    return ret;
                     +}
+                    +
                      static void gpt_printSectors(cli_ctx *ctx, size_t sectorsize)
+                     {
                      #ifdef DEBUG_GPT_PARSE

libclamav/mbr.c

History View file @ b374521

@@ -67,7 +67,6 @@ enum MBR_STATE {
                      static int mbr_scanextprtn(cli_ctx *ctx, unsigned *prtncount, off_t extlba,
                                                 size_t extlbasize, size_t sectorsize);
                      static void mbr_printbr(struct mbr_boot_record *record);
                     -static void mbr_convert_to_host(struct mbr_boot_record *record);
                      static int mbr_check_mbr(struct mbr_boot_record *record, size_t maplen, size_t sectorsize);
                      static int mbr_check_ebr(struct mbr_boot_record *record);
                      static int mbr_primary_prtn_intxn(cli_ctx *ctx, struct mbr_boot_record mbr, size_t sectorsize);
@@ -273,11 +272,11 @@ static int mbr_scanextprtn(cli_ctx *ctx, unsigned *prtncount, off_t extlba, size
                                              logiclba = 0;
                                              /* fall-through */
                                          case SEEN_EXTENDED:
                     -                        cli_dbgmsg("cli_scanebr: detected a logical boot record "
                     -                                   "without a partition record\n");
                     +                        cli_warnmsg("cli_scanebr: detected a logical boot record "
                     +                                    "without a partition record\n");
                                              break;
                                          default:
                     -                        cli_dbgmsg("cli_scanebr: undefined state for EBR parsing\n");
                     +                        cli_warnmsg("cli_scanebr: undefined state for EBR parsing\n");
                                              return CL_EPARSE;
+                                         }
+                                     }
@@ -289,12 +288,12 @@ static int mbr_scanextprtn(cli_ctx *ctx, unsigned *prtncount, off_t extlba, size
                                          case SEEN_PARTITION:
                                              break;
                                          case SEEN_EMPTY:
                     -                        cli_dbgmsg("cli_scanebr: detected a logical boot record "
                     -                                   "without a partition record\n");
                     +                        cli_warnmsg("cli_scanebr: detected a logical boot record "
                     +                                    "without a partition record\n");
                                              break;
                                          case SEEN_EXTENDED:
                     -                        cli_dbgmsg("cli_scanebr: detected a logical boot record "
                     -                                   "with multiple extended partition records\n");
                     +                        cli_warnmsg("cli_scanebr: detected a logical boot record "
                     +                                    "with multiple extended partition records\n");
                                              return CL_EFORMAT;
                                          default:
                                              cli_dbgmsg("cli_scanebr: undefined state for EBR parsing\n");
@@ -309,17 +308,17 @@ static int mbr_scanextprtn(cli_ctx *ctx, unsigned *prtncount, off_t extlba, size
                                              state = SEEN_PARTITION;
                                              break;
                                          case SEEN_PARTITION:
                     -                        cli_dbgmsg("cli_scanebr: detected a logical boot record "
                     -                                   "with multiple partition records\n");
                     +                        cli_warnmsg("cli_scanebr: detected a logical boot record "
                     +                                    "with multiple partition records\n");
                                              logiclba = 0; /* no extended partitions are possible */
                                              break;
                                          case SEEN_EXTENDED:
                     -                        cli_dbgmsg("cli_scanebr: detected a logical boot record "
                     -                                   "with extended partition record first\n");
                     +                        cli_warnmsg("cli_scanebr: detected a logical boot record "
                     +                                    "with extended partition record first\n");
                                              break;
                                          case SEEN_EMPTY:
                     -                        cli_dbgmsg("cli_scanebr: detected a logical boot record "
                     -                                   "with empty partition record first\n");
                     +                        cli_warnmsg("cli_scanebr: detected a logical boot record "
                     +                                    "with empty partition record first\n");
                                              logiclba = 0; /* no extended partitions are possible */
                                              break;
                                          default:
@@ -357,6 +356,20 @@ static int mbr_scanextprtn(cli_ctx *ctx, unsigned *prtncount, off_t extlba, size
                          return ret;
+                     }
                     +void mbr_convert_to_host(struct mbr_boot_record *record)
                     +{
                     +    struct mbr_partition_entry *entry;
                     +    unsigned i;
+                    +
                     +    for (i = 0; i < MBR_MAX_PARTITION_ENTRIES; ++i) {
                     +        entry = &record->entries[i];
+                    +
                     +        entry->firstLBA = le32_to_host(entry->firstLBA);
                     +        entry->numLBA = le32_to_host(entry->numLBA);
                     +    }
                     +    record->signature = be16_to_host(record->signature);
                     +}
+                    +
                      static void mbr_printbr(struct mbr_boot_record *record)
+                     {
                          unsigned i;
@@ -375,20 +388,6 @@ static void mbr_printbr(struct mbr_boot_record *record)
+                         }
+                     }
                     -static void mbr_convert_to_host(struct mbr_boot_record *record)
                     -{
                     -    struct mbr_partition_entry *entry;
                     -    unsigned i;
+                    -
                     -    for (i = 0; i < MBR_MAX_PARTITION_ENTRIES; ++i) {
                     -        entry = &record->entries[i];
+                    -
                     -        entry->firstLBA = le32_to_host(entry->firstLBA);
                     -        entry->numLBA = le32_to_host(entry->numLBA);
                     -    }
                     -    record->signature = be16_to_host(record->signature);
                     -}
+                    -
                      static int mbr_check_mbr(struct mbr_boot_record *record, size_t maplen, size_t sectorsize)
+                     {
                          unsigned i = 0;

libclamav/mbr.h

History View file @ b374521

@@ -44,6 +44,8 @@
                      /* MBR Partition Types */
                      #define MBR_EMPTY      0x00
                      #define MBR_EXTENDED   0x05
                     +#define MBR_HYBRID     0xed
                     +#define MBR_PROTECTIVE 0xee
                      /* End Partition Types */
                      #ifndef HAVE_ATTRIB_PACKED
@@ -84,5 +86,6 @@ struct mbr_boot_record {
                      int cli_mbr_check(const unsigned char *buff, size_t len, size_t maplen);
                      int cli_scanmbr(cli_ctx *ctx, size_t sectorsize);
                     +void mbr_convert_to_host(struct mbr_boot_record *record);
                      #endif