lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CO2PR0601MB79219CC741061DE67B2811784F30@CO2PR0601MB792.namprd06.prod.outlook.com>
Date:   Thu, 8 Feb 2018 19:00:07 +0000
From:   "Hornseth, Brenan [USA]" <Hornseth_Brenan@....com>
To:     "linux-ext4@...R.KERNEL.ORG" <linux-ext4@...R.KERNEL.ORG>
Subject: Buffer overflow in e2fsprog's fsck utility

Hopefully this is the correct place to report this; I recently found a buffer overflow bug in the "fsck" command-line utility on an old version of the tool. Today I checked out the e2fsprogs master and compiled it on  my x86-64 ubuntu 16.04 machine and confirmed the bug still exists.

I have been able to produce the bug on multiple machines with a command-line like:

fsck -t AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  /dev/sda


Which results in a message: "*** buffer overflow detected ***: fsck terminated"



I believe the bug stems from fsck.c, execute() line 448. Relevant code follows:



    438         char *s, *argv[80], prog[80];
    439         int  argc, i;
    440         struct fsck_instance *inst, *p;
    441         pid_t   pid;
    442 
    443         inst = malloc(sizeof(struct fsck_instance));
    444         if (!inst)
    445                 return ENOMEM;
    446         memset(inst, 0, sizeof(struct fsck_instance));
    447 
-->448         sprintf(prog, "fsck.%s", type);

 Note that the sprintf() call does no bounds checking of the "type" argument (which is a string that comes from the command line) and that "prog" is only 80 bytes in size.


Please let me know if you need anything else or would prefer a patch (and what format is preferred).


Thanks,


Brenan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ