lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Thu, 8 Feb 2018 19:27:59 +0000
From:   "Hornseth, Brenan [USA]" <Hornseth_Brenan@....com>
To:     "linux-ext4@...R.KERNEL.ORG" <linux-ext4@...R.KERNEL.ORG>
Subject: Buffer overflow in e2fsprog's fsck utility

Hopefully this is the correct place to report this; I recently found a buffer overflow bug in the "fsck" command-line utility on an old version of the tool. Today I checked out the e2fsprogs master and compiled it on my x86-64 ubuntu 16.04 machine and confirmed the bug still exists.

I have been able to produce the bug on multiple machines with a command-line like:

fsck -t AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /dev/sda

Which results in a message: "*** buffer overflow detected ***: fsck terminated"

 

I believe the bug stems from fsck.c, execute() line 448. Relevant code follows:

 
    438         char *s, *argv[80], prog[80];
    439         int  argc, i;
    440         struct fsck_instance *inst, *p;
    441         pid_t   pid;
    442 
    443         inst = malloc(sizeof(struct fsck_instance));
    444         if (!inst)
    445                 return ENOMEM;
    446         memset(inst, 0, sizeof(struct fsck_instance));
    447 
    448         sprintf(prog, "fsck.%s", type);

Note that the sprintf() call does no bounds checking of the "type" argument and that "prog" is only 80 bytes in size.

Please let me know if you need anything else or would prefer a patch (and what format is preferred).

Thanks,

Brenan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ