lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025122450-CVE-2022-50747-8937@gregkh>
Date: Wed, 24 Dec 2025 14:05:58 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2022-50747: hfs: Fix OOB Write in hfs_asc2mac

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

hfs: Fix OOB Write in hfs_asc2mac

Syzbot reported a OOB Write bug:

loop0: detected capacity change from 0 to 64
==================================================================
BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0
fs/hfs/trans.c:133
Write of size 1 at addr ffff88801848314e by task syz-executor391/3632

Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
 print_address_description+0x74/0x340 mm/kasan/report.c:284
 print_report+0x107/0x1f0 mm/kasan/report.c:395
 kasan_report+0xcd/0x100 mm/kasan/report.c:495
 hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133
 hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28
 hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31
 lookup_open fs/namei.c:3391 [inline]
 open_last_lookups fs/namei.c:3481 [inline]
 path_openat+0x10e6/0x2df0 fs/namei.c:3710
 do_filp_open+0x264/0x4f0 fs/namei.c:3740

If in->len is much larger than HFS_NAMELEN(31) which is the maximum
length of an HFS filename, a OOB write could occur in hfs_asc2mac(). In
that case, when the dst reaches the boundary, the srclen is still
greater than 0, which causes a OOB write.
Fix this by adding a check on dstlen in while() before writing to dst
address.

The Linux kernel CVE team has assigned CVE-2022-50747 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 2.6.14 with commit 328b9227865026268261a24a97a578907b280415 and fixed in 4.9.337 with commit 8399318b13dc9e0569dee07ba2994098926d4fb2
	Issue introduced in 2.6.14 with commit 328b9227865026268261a24a97a578907b280415 and fixed in 4.14.303 with commit 95040de81c629cd8d3c6ab5b50a8bd5088068303
	Issue introduced in 2.6.14 with commit 328b9227865026268261a24a97a578907b280415 and fixed in 4.19.270 with commit ba8f0ca386dd15acf5a93cbac932392c7818eab4
	Issue introduced in 2.6.14 with commit 328b9227865026268261a24a97a578907b280415 and fixed in 5.4.229 with commit 6a95b17e4d4cd2d8278559f930b447f8c9c8cff9
	Issue introduced in 2.6.14 with commit 328b9227865026268261a24a97a578907b280415 and fixed in 5.10.163 with commit cff9fefdfbf5744afbb6d70bff2b49ec2065d23d
	Issue introduced in 2.6.14 with commit 328b9227865026268261a24a97a578907b280415 and fixed in 5.15.86 with commit 7af9cb8cbb81308ce4b06cc7164267faccbf75dd
	Issue introduced in 2.6.14 with commit 328b9227865026268261a24a97a578907b280415 and fixed in 6.0.16 with commit ae21b03f904736eb2aa9bd119d2a14e741f1681f
	Issue introduced in 2.6.14 with commit 328b9227865026268261a24a97a578907b280415 and fixed in 6.1.2 with commit 88579c158e026860c61c4192531e8bc42f4bc642
	Issue introduced in 2.6.14 with commit 328b9227865026268261a24a97a578907b280415 and fixed in 6.2 with commit c53ed55cb275344086e32a7080a6b19cb183650b

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-50747
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	fs/hfs/trans.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/8399318b13dc9e0569dee07ba2994098926d4fb2
	https://git.kernel.org/stable/c/95040de81c629cd8d3c6ab5b50a8bd5088068303
	https://git.kernel.org/stable/c/ba8f0ca386dd15acf5a93cbac932392c7818eab4
	https://git.kernel.org/stable/c/6a95b17e4d4cd2d8278559f930b447f8c9c8cff9
	https://git.kernel.org/stable/c/cff9fefdfbf5744afbb6d70bff2b49ec2065d23d
	https://git.kernel.org/stable/c/7af9cb8cbb81308ce4b06cc7164267faccbf75dd
	https://git.kernel.org/stable/c/ae21b03f904736eb2aa9bd119d2a14e741f1681f
	https://git.kernel.org/stable/c/88579c158e026860c61c4192531e8bc42f4bc642
	https://git.kernel.org/stable/c/c53ed55cb275344086e32a7080a6b19cb183650b

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ