| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Feb 2018 19:00:07 +0000 From: "Hornseth, Brenan [USA]" <Hornseth_Brenan@....com> To: "linux-ext4@...R.KERNEL.ORG" <linux-ext4@...R.KERNEL.ORG> Subject: Buffer overflow in e2fsprog's fsck utility Hopefully this is the correct place to report this; I recently found a buffer overflow bug in the "fsck" command-line utility on an old version of the tool. Today I checked out the e2fsprogs master and compiled it on my x86-64 ubuntu 16.04 machine and confirmed the bug still exists. I have been able to produce the bug on multiple machines with a command-line like: fsck -t AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /dev/sda Which results in a message: "*** buffer overflow detected ***: fsck terminated" I believe the bug stems from fsck.c, execute() line 448. Relevant code follows: 438 char *s, *argv[80], prog[80]; 439 int argc, i; 440 struct fsck_instance *inst, *p; 441 pid_t pid; 442 443 inst = malloc(sizeof(struct fsck_instance)); 444 if (!inst) 445 return ENOMEM; 446 memset(inst, 0, sizeof(struct fsck_instance)); 447 -->448 sprintf(prog, "fsck.%s", type); Note that the sprintf() call does no bounds checking of the "type" argument (which is a string that comes from the command line) and that "prog" is only 80 bytes in size. Please let me know if you need anything else or would prefer a patch (and what format is preferred). Thanks, Brenan
Powered by blists - more mailing lists